我正在尝试测试命令注入漏洞。
我使用执行命令的servlet ls,然后尝试在url中传递另一个命令来利用命令注入漏洞,但是当我传递新命令时什么也没有发生。这是我的 servlet 代码和我用来传递新命令的 url:
@WebServlet("/command")
public class CommandInjectionServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
try {
String comm = "/bin/bash -c ls " + request.getParameter("parameter");
Process process = Runtime.getRuntime().exec(comm);
BufferedReader stdInput = new BufferedReader(
new InputStreamReader(process.getInputStream(), StandardCharsets.UTF_8));
String s = null;
while ((s = stdInput.readLine()) != null) {
response.getWriter().println(s);
}
} catch (IOException e) {
e.printStackTrace();
System.out.println("Error executing command");
}
}
}
和我使用的网址 …