1. Summary of struts2 vulnerability exploitation 01/18 Update SLTechnology News&Howtos

1. Summary of struts2 vulnerability exploitation

2025-01-18 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Starting from today, I intend to record my process of digging holes bit by bit. I have been in contact with web***, for 17 years. I have finished the course of cracer17 for 17 years. I have seen the open course of NetEase. I am currently studying the kali*** test in the safety bull class. In fact, I feel very sad. I have learned a lot, but I feel that I will learn too little. Up to now, the experience of digging a hole is still 0 (want to cry).

Occasionally very confused, what on earth have they learned, what is the use of learning but not!

This is a new beginning, to practice instead of learning, from shallow to deep, this series is dedicated to children who have been confused as much as I have.

No gossip, let's get to the point. I will improve and supplement these articles regularly. I hope everyone can communicate more.

At the first stop, let's study the struts2 loophole. Here I will first talk about the use of the loophole, share the gadgets, and finally gradually supplement the principle of the loophole. We forgive Xiaobai for his limited ability.

1. Information collection: keywords:

Inurl:.action?

Inurl:.action?id

Inurl:.action?mid

Inurl:.action? Parameter name

Inurl:index.action

Inurl:login.action

2. Tools: url crawling with struct2 tools

Url acquisition: https://pan.baidu.com/s/1BEKGHck1XDQrO0zLeLwe4Q

Decompress password 3ne6

Struts utilization: https://pan.baidu.com/s/1SQ-NW9rtzm7sRfIC9_0YrQ

Decompress password 5emo

3. Give a chestnut

I believe you have seen that the accuracy of url collection is too poor. All right, let's change it. We'll write it ourselves later, woo.

Well, it's pretty accurate. Let's start to verify it next.

Many brothers will say that there are so many url manual tests one by one, my answer is of course no, my younger brother is self-taught python, and later write tools to share with you. All right, that's it for now, the first article ends hastily!

Reproduced from my csdn blog https://mp.csdn.net/postedit/79841604

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.