use strict;
my $str = '"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", "Connection": "close", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF"}
data = "------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name=\\"id\\"
%{
(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map.setBean(#request.get(\'struts.valueStack\')) == true).toString().substring(0,0) +
(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map2.setBean(#request.get(\'map\').get(\'context\')) == true).toString().substring(0,0) +
(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +
(#request.map3.setBean(#request.get(\'map2\').get(\'memberAccess\')) == true).toString().substring(0,0) +
(#request.get(\'map3\').put(\'excludedPackageNames\',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#request.get(\'map3\').put(\'excludedClasses\',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +
(#application.get(\'org.apache.tomcat.InstanceManager\').newInstance(\'freemarker.template.utility.Execute\').exec({\'whoami\'}))
}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF\\xe2\\x80\\x94"
/?name=%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=\'cat /etc/passwd\').(#iswin=(@java.lang.System@getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(#cmds=(#iswin?{\'cmd.exe\',\'/c\',#cmd}:{\'/bin/bash\',\'-c\',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}
/index.action?method:#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#res=@org.apache.struts2.ServletActionContext@getResponse(),#res.setCharacterEncoding(#parameters.encoding[0]),#w=#res.getWriter(),#s=new java.util.Scanner(@java.lang.Runtime@getRuntime().exec(#parameters.cmd[0]).getInputStream()).useDelimiter(#parameters.pp[0]),#str=#s.hasNext()?#s.next():#parameters.ppp[0],#w.print(#str),#w.close(),1?#xx:#request.toString&pp=\\\\A&ppp= &encoding=UTF-8&cmd=cat /etc/passwd
------WebKitFormBoundaryl7d1B1aGsV2wcZwF\\r\\nContent-Disposition: form-data; name=\\"id\\"\\r\\n\\r\\n%{\\r\\n(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\\r\\n(#request.map.setBean(#request.get(\'struts.valueStack\')) == true).toString().substring(0,0) +\\r\\n(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\\r\\n(#request.map2.setBean(#request.get(\'map\').get(\'context\')) == true).toString().substring(0,0) +\\r\\n(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\\r\\n(#request.map3.setBean(#request.get(\'map2\').get(\'memberAccess\')) == true).toString().substring(0,0) +\\r\\n(#request.get(\'map3\').put(\'excludedPackageNames\',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\\r\\n(#request.get(\'map3\').put(\'excludedClasses\',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\\r\\n(#application.get(\'org.apache.tomcat.InstanceManager\').newInstance(\'freemarker.template.utility.Execute\').exec({\'CMD\'}))\\r\\n}\\r\\n------WebKitFormBoundaryl7d1B1aGsV2wcZwF--\\xe2\\x80\\x94
';
my $regex = qr/\%[\s|\\r|\\n]*\{[\s|\\r|\\n]*(?:[\s|\\r|\\n]*\(\#[^\=]+\=[^\)]+\)\.)/ip;
if ( $str =~ /$regex/g ) {
print "Whole match is ${^MATCH} and its start/end positions can be obtained via \$-[0] and \$+[0]\n";
# print "Capture Group 1 is $1 and its start/end positions can be obtained via \$-[1] and \$+[1]\n";
# print "Capture Group 2 is $2 ... and so on\n";
}
# ${^POSTMATCH} and ${^PREMATCH} are also available with the use of '/p'
# Named capture groups can be called via $+{name}
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Perl, please visit: http://perldoc.perl.org/perlre.html