解题在赛后才解出的,通过这道题也学习了JavaAgent技术。绕过Filtercom.example.customer.filter.CustomerFilter#doFilter中有如下过滤器逻辑String uri = ((HttpServletRequest)request).getRequestURI().replaceAll("/api", ""); String endpoint = uri.replaceAll("/", ""); if (endpoint.equalsIgnoreCase("changefood")) { response.getWriter().write("Under construction..."); } else { chain.doFilter(request, response); }可以利用url解析特性来绕过,payload如下:http://192.168.195.128:32821/api;a=b/changefood代码审计 --- SPEL注入RCEcom.example.customer.controller.OrderController#change 代码如下public String change(@RequestParam String foodServiceClassName, @RequestParam String name) throws ClassNotFoundException, InvocationTargetException, InstantiationException, IllegalAccessException, NoSuchMethodException {
………………………………