1. The beginning is a clock interface
2. Scan directory find / list directory
Background landing is open, I looked at the source code, did not find anything, anxious. . .
3. Search for a wave of wp on Baidu, found that in css hidden inside something
Background background image is actually read this, it is estimated there may be vulnerability to read files,
In addition, the discovery packet capture page is written in jsp
Trying to read the configuration file web.xml
Payload:
http://111.198.29.45:32744/loadimage?fileName=../../WEB-INF/web.xml
Local open with notepad ++
Profile is written inside Struts2, search the next Struts2 directory structure,
Reference links:
https://blog.csdn.net/u010004082/article/details/79351459
https://www.cnblogs.com/pigtail/archive/2013/02/12/2910348.html
apps- store all Struts2 sample project
docs- Struts2 and store all documents XWork
lib- store all relevant Struts2 Struts2 JAR file and runtime dependencies JAR file
src- Struts2 store all the source code to the designated Maven project directory structure to store
Continue reading struts.xml file
Payload:
http://111.198.29.45:32744/loadimage?fileName=../../WEB-INF/classes/struts.xml
Notepad to open struts.xml
Here you can see there are many class class class name, tried it, you can download one by one, into a forward slash dot, and then add .class later can be downloaded, download decompile class file with jd
http://111.198.29.45:32744/loadimage?fileName=../../WEB-INF/classes/applicationContext.xml
Here we find a user.hbm.xml
By-download the configuration file in the class, decompile it
Here the user name to the filter, filtering spaces and equal signs
After decompile can directly see the query (here mysql sql statement and not the same, using HSQL)
hsql refer to this article, and mysql statement is not very different, but also different
https://www.cnblogs.com/fengyouheng/p/11013013.html
4. injection
You can try to construct a universal password
This one is blue stitching statement
Here filtered to consider the use of line breaks little space to handle it
Payload:
/zhuanxvlogin?user.name=admin%27%0Aor%0A%271%27%3E%270'%0Aor%0Aname%0Alike%0A'admin&user.password=1
Landing into, but futile, flag is in a database
Blind statements directly behind the injection of reference of wp
https://www.jianshu.com/p/b940d0aaa9fa
https://xz.aliyun.com/t/2405#toc-27
flag as follows
Ah, finally say, when submitted sctf capitalized.docs- Struts2 and store all documents XWork
lib- store all relevant Struts2 Struts2 JAR file and runtime dependencies JAR file
src- Struts2 store all the source code to the designated Maven project directory structure to store
Continue reading struts.xml file
Payload:
http://111.198.29.45:32744/loadimage?fileName=../../WEB-INF/classes/struts.xml
Notepad to open struts.xml
Here you can see there are many class class class name, tried it, you can download one by one, into a forward slash dot, and then add .class later can be downloaded, download decompile class file with jd
http://111.198.29.45:32744/loadimage?fileName=../../WEB-INF/classes/applicationContext.xml
Here we find a user.hbm.xml
By-download the configuration file in the class, decompile it
Here the user name to the filter, filtering spaces and equal signs
After decompile can directly see the query (here mysql sql statement and not the same, using HSQL)
hsql refer to this article, and mysql statement is not very different, but also different
https://www.cnblogs.com/fengyouheng/p/11013013.html
4. injection
You can try to construct a universal password
This one is blue stitching statement
Here filtered to consider the use of line breaks little space to handle it
Payload:
/zhuanxvlogin?user.name=admin%27%0Aor%0A%271%27%3E%270'%0Aor%0Aname%0Alike%0A'admin&user.password=1
Landing into, but futile, flag is in a database
Blind statements directly behind the injection of reference of wp
https://www.jianshu.com/p/b940d0aaa9fa
https://xz.aliyun.com/t/2405#toc-27
flag as follows
Ah, finally say, when submitted sctf capitalized.