Vulnerability overview
Apache struts is an open source project maintained by the Pachitea (Apache) Software Foundation, an open-source MVC framework for creating enterprise-class Java Web applications. An arbitrary code execution vulnerability exists in the Showcase application of the Struts 2.3.x series demonstrating the plug-in for Struts2 integrated struts 1. When your app uses Struts2 Struts1 plug-ins, it may cause untrusted input to pass into the Actionmessage class causing the command to execute.
Solution Solutions
When you pass the original message to Actionmessage, use a resource key value similar to the following, and do not pass the original value directly
Messages.add ("msg", New Actionmessage ("struts1.gangsteradded", Gform.getname ()));
Values should not be the case:
Messages.add ("msg", New Actionmessage ("Gangster" + gform.getname () + "was added"));
Enter the text!
In the afternoon, I saw a circle of friends st2-048 a cousin's exp on GitHub.
Reproducible success
It contains the POC for st2-045 46 48 and Python
Python version reproduced successfully Ps: This diagram is the other small partners with the successful POC replication
POC and more Defense Solutions : Https://bbs.ichunqiu.com/thread-24504-1-1.html?from=bky
Struts2 re-explode remote command execution vulnerability! [W3bsafe] struts2-048 Poc shell and defense repair solution First Look!