{"id":3282,"date":"2017-04-04T13:09:57","date_gmt":"2017-04-04T05:09:57","guid":{"rendered":"https:\/\/ixyzero.com\/blog\/?p=3282"},"modified":"2017-04-04T13:09:57","modified_gmt":"2017-04-04T05:09:57","slug":"struts2%e8%bf%91%e5%b9%b4%e5%87%ba%e7%8e%b0%e7%9a%84%e9%ab%98%e5%8d%b1%e6%bc%8f%e6%b4%9e%e5%8f%8a%e7%9b%b8%e5%85%b3%e4%bf%a1%e6%81%af%e6%80%bb%e7%bb%93","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/3282.html","title":{"rendered":"Struts2\u8fd1\u5e74\u51fa\u73b0\u7684\u9ad8\u5371\u6f0f\u6d1e\u53ca\u76f8\u5173\u4fe1\u606f\u603b\u7ed3"},"content":{"rendered":"<p>=Start=<\/p>\n<h4>\u7f18\u7531\uff1a<\/h4>\n<p>\u8bb0\u5f97\u6211\u521a\u6bd5\u4e1a\u7684\u65f6\u5019Struts2\u7206\u51fa\u4e86\u4e00\u4e2a\u9ad8\u5371\u6f0f\u6d1e(Struts2-016)\uff0c\u4ece\u6b64\uff0cStruts2\u6846\u67b6\u5c31\u8d70\u8fdb\u4e86\u6211\u7684\u89c6\u7ebf\uff0c\u6ca1\u60f3\u52304\u5e74\u8fc7\u53bb\u4e86\uff0c\u5b83\u4f9d\u7136\u4fdd\u6301\u7740\u6bcf\u5e74\u51e0\u4e2a\u9ad8\u5371\u6f0f\u6d1e\u7684\u9891\u7387\u548c\u8d8b\u52bf\uff0c\u4e0d\u8d1f\u300c\u6f0f\u6d1e\u4e4b\u738b\u300d\u7684\u79f0\u53f7\u3002<\/p>\n<p>\u8fd9\u7bc7\u6587\u7ae0\u4e3b\u8981\u5c31\u662f\u8bb0\u5f55\u4e00\u4e0b\u8fd1\u5e74\u6765\u51fa\u73b0\u7684\u548cStruts2\u76f8\u5173\u7684\u9ad8\u5371\u6f0f\u6d1e\uff0c\u4ee5\u53ca\u4e00\u4e9b\u6f0f\u6d1e\u9a8c\u8bc1POC\/EXP\uff0c\u65b9\u4fbf\u5e73\u65f6\u8fdb\u884c\u6d4b\u8bd5\u3002<\/p>\n<h4>\u6b63\u6587\uff1a<\/h4>\n<h5>\u53c2\u8003\u89e3\u7b54\uff1a<\/h5>\n<p>Struts2-Security_Bulletins\uff08Struts2\u6846\u67b6\u7684\u6f0f\u6d1e\u516c\u544a\u677f\uff09<br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/security-bulletins.html\">https:\/\/struts.apache.org\/docs\/security-bulletins.html<\/a><\/p>\n<p>S2-016 \u2014 A vulnerability introduced by manipulating parameters prefixed with &#8220;action:&#8221;\/&#8221;redirect:&#8221;\/&#8221;redirectAction:&#8221; <span style=\"color: #ff0000;\"><strong>allows remote command execution<\/strong><\/span><br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/s2-016.html\">https:\/\/struts.apache.org\/docs\/s2-016.html<\/a><\/p>\n<p>S2-029 \u2014 Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, <span style=\"color: #ff0000;\"><strong>may lead to remote code execution<\/strong><\/span>.<br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/s2-029.html\">https:\/\/struts.apache.org\/docs\/s2-029.html<\/a><\/p>\n<p>S2-032 \u2014 <span style=\"color: #ff0000;\">Remote Code Execution can be performed<\/span> via method: prefix when Dynamic Method Invocation is enabled.<br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/s2-032.html\">https:\/\/struts.apache.org\/docs\/s2-032.html<\/a><\/p>\n<p>S2-033 \u2014 <span style=\"color: #ff0000;\">Remote Code Execution can be performed<\/span> when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.<br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/s2-033.html\">https:\/\/struts.apache.org\/docs\/s2-033.html<\/a><\/p>\n<p>S2-036 \u2014 Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, <strong><span style=\"color: #ff0000;\">may lead to remote code execution<\/span><\/strong> (similar to S2-029)<br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/s2-036.html\">https:\/\/struts.apache.org\/docs\/s2-036.html<\/a><\/p>\n<p>S2-037 \u2014 <span style=\"color: #ff0000;\">Remote Code Execution can be performed<\/span> when using REST Plugin.<br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/s2-037.html\">https:\/\/struts.apache.org\/docs\/s2-037.html<\/a><\/p>\n<p>S2-045 \u2014 <span style=\"color: #ff0000;\"><strong>Possible Remote Code Execution<\/strong><\/span> when performing file upload based on Jakarta Multipart parser.<br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/s2-045.html\">https:\/\/struts.apache.org\/docs\/s2-045.html<\/a><\/p>\n<p>S2-046 \u2014 <span style=\"color: #ff0000;\"><strong>Possible RCE<\/strong><\/span> when performing file upload based on Jakarta Multipart parser (similar to S2-045)<br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/s2-046.html\">https:\/\/struts.apache.org\/docs\/s2-046.html<\/a><\/p>\n<p>====<br \/>\nsite:freebuf.com struts2 \u8fdc\u7a0b \u4ee3\u7801 \u6267\u884c<br \/>\nStruts2 exp genxor<br \/>\n====<\/p>\n<p>[\u66f4\u65b0]Struts2\u518d\u7206\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08S2-016\uff09<br \/>\n<a href=\"http:\/\/www.freebuf.com\/vuls\/11220.html\">http:\/\/www.freebuf.com\/vuls\/11220.html<\/a><br \/>\n<a href=\"https:\/\/struts.apache.org\/docs\/s2-016.html\">https:\/\/struts.apache.org\/docs\/s2-016.html<\/a> # S2-016 (2013-07-17)<\/p>\n<p>Struts2\u6700\u8fd1\u51e0\u4e2a\u6f0f\u6d1e\u5206\u6790&amp;\u7a33\u5b9a\u5229\u7528Payload<br \/>\n<a href=\"http:\/\/www.freebuf.com\/articles\/web\/25337.html\">http:\/\/www.freebuf.com\/articles\/web\/25337.html<\/a><\/p>\n<p>Struts2 S2-029\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u521d\u63a2<br \/>\n<a href=\"http:\/\/www.freebuf.com\/vuls\/99234.html\">http:\/\/www.freebuf.com\/vuls\/99234.html<\/a><br \/>\nS2-029 Struts2 \u6807\u7b7e\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u5206\u6790\uff08\u542bPOC\uff09<br \/>\n<a href=\"http:\/\/www.freebuf.com\/vuls\/99432.html\">http:\/\/www.freebuf.com\/vuls\/99432.html<\/a><\/p>\n<p>Struts2 S2 \u2013 032\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u5206\u6790<br \/>\n<a href=\"http:\/\/www.freebuf.com\/vuls\/102836.html\">http:\/\/www.freebuf.com\/vuls\/102836.html<\/a><\/p>\n<p>\u6f0f\u6d1e\u9884\u8b66\uff1aStruts 2\u518d\u66dd\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1eS2-037\uff08CVE-2016-4438\uff09<br \/>\n<a href=\"http:\/\/www.freebuf.com\/news\/106954.html\">http:\/\/www.freebuf.com\/news\/106954.html<\/a><\/p>\n<p>\u3010\u6f0f\u6d1e\u9884\u8b66\u3011Apache Struts2\u518d\u66dd\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08S2-046 \u9644PoC\uff09<br \/>\n<a href=\"http:\/\/www.freebuf.com\/vuls\/129871.html\">http:\/\/www.freebuf.com\/vuls\/129871.html<\/a><\/p>\n<p>Struts2 \u5386\u53f2 RCE \u6f0f\u6d1e\u56de\u987e\u4e0d\u5b8c\u5168\u7cfb\u5217<br \/>\n<a href=\"http:\/\/rickgray.me\/2016\/05\/06\/review-struts2-remote-command-execution-vulnerabilities.html\">http:\/\/rickgray.me\/2016\/05\/06\/review-struts2-remote-command-execution-vulnerabilities.html<\/a><\/p>\n<p>StrutsHoneypot\uff1aStruts2\u7684\u871c\u7f50<br \/>\n<a href=\"http:\/\/www.mottoin.com\/99098.html\">http:\/\/www.mottoin.com\/99098.html<\/a><\/p>\n<p>\u5feb\u901f\u642d\u5efaStruts2\u6f0f\u6d1e\u6f14\u793a\u73af\u5883(S2-032\/033\/037\/devMode)<br \/>\n<a href=\"http:\/\/www.mottoin.com\/85519.html\">http:\/\/www.mottoin.com\/85519.html<\/a><\/p>\n<p>\u3010\u6f0f\u6d1e\u9884\u8b66\u3011Struts 2 \u88ab\u7206\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e S2-045<br \/>\n<a href=\"http:\/\/www.mottoin.com\/97954.html\">http:\/\/www.mottoin.com\/97954.html<\/a><\/p>\n<p>Struts 2\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1eS2-046<br \/>\n<a href=\"http:\/\/www.mottoin.com\/98591.html\">http:\/\/www.mottoin.com\/98591.html<\/a><\/p>\n<p>VulApps: \u5feb\u901f\u642d\u5efa\u5404\u79cd\u6f0f\u6d1e\u73af\u5883<br \/>\n<a href=\"http:\/\/www.mottoin.com\/88838.html\">http:\/\/www.mottoin.com\/88838.html<\/a><\/p>\n<p>Struts2 \u5386\u53f2\u7248\u672c\u7684\u6f0f\u6d1e\u73af\u5883<br \/>\n<a href=\"https:\/\/github.com\/0kami\/Struts2Environment\">https:\/\/github.com\/0kami\/Struts2Environment<\/a><\/p>\n<p>Struts2\u547d\u4ee4\u6267\u884c\u5404\u7248\u672c\u8bb0\u5f55<br \/>\n<a href=\"http:\/\/blog.0kami.cn\/2017\/01\/13\/Struts2-history-payload\/\">http:\/\/blog.0kami.cn\/2017\/01\/13\/Struts2-history-payload\/<\/a><\/p>\n<p>Struts2 S2-045 \u6f0f\u6d1e\u73af\u5883<br \/>\n<a href=\"https:\/\/github.com\/mottoin\/S2-045\">https:\/\/github.com\/mottoin\/S2-045<\/a><\/p>\n<p>\u652f\u6301\u5bf9\u4ee5\u4e0b\u7248\u672c\u7684\u68c0\u6d4b: ST2-005 ST2-009 ST2-013 ST2-016 ST2-019 ST2-devmode ST2-032 ST2-037 ST2-045<br \/>\n<a href=\"https:\/\/github.com\/Lucifer1993\/struts-scan\">https:\/\/github.com\/Lucifer1993\/struts-scan<\/a><\/p>\n<p>====<\/p>\n<p>s2-016,s2-019,s2-020<br \/>\n<a href=\"https:\/\/github.com\/zj--2095\/struts2-exp\">https:\/\/github.com\/zj&#8211;2095\/struts2-exp<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/tony1016\/s2-032-exploit\">https:\/\/github.com\/tony1016\/s2-032-exploit<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/tengzhangchao\/Struts2_045-Poc\">https:\/\/github.com\/tengzhangchao\/Struts2_045-Poc<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/jas502n\/st2-046-poc\">https:\/\/github.com\/jas502n\/st2-046-poc<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/coffeehb\/Some-PoC-oR-ExP\/tree\/master\/Struts2\">https:\/\/github.com\/coffeehb\/Some-PoC-oR-ExP\/tree\/master\/Struts2<\/a> # s2-017\/020\/032\/033\/037<\/p>\n<p><a href=\"https:\/\/github.com\/crown-prince\/Go_Struts2\">https:\/\/github.com\/crown-prince\/Go_Struts2<\/a><\/p>\n<p>[\u539f\u521b]K8 Struts2 Exp 20170310 S2-045(Struts2\u7efc\u5408\u6f0f\u6d1e\u5229\u7528\u5de5\u5177)<br \/>\n# \u652f\u6301\u6f0f\u6d1e (S2-045 devMode S2-032 s2-020 s2-019 s2-016 s2-013 s2-009 S2-005)<br \/>\n<a href=\"http:\/\/qqhack8.blog.163.com\/blog\/static\/1141479852014631102759126\/\">http:\/\/qqhack8.blog.163.com\/blog\/static\/1141479852014631102759126\/<\/a><\/p>\n<h5>\u53c2\u8003\u94fe\u63a5\uff1a<\/h5>\n<ul>\n<li>site:freebuf.com struts2 \u8fdc\u7a0b \u4ee3\u7801 \u6267\u884c<\/li>\n<li>site:github.com struts2 poc<\/li>\n<li><a href=\"https:\/\/github.com\/search?utf8=%E2%9C%93&amp;q=struts2+poc&amp;type=Code\">https:\/\/github.com\/search?utf8=%E2%9C%93&amp;q=struts2+poc&amp;type=Code<\/a><\/li>\n<li>https:\/\/www.soulema.com\/search?q=struts2+\u6f0f\u6d1e+\u73af\u5883<\/li>\n<li>https:\/\/www.soulema.com\/#q=struts2+045+\u6f0f\u6d1e+\u73af\u5883+war<\/li>\n<li><a href=\"https:\/\/mvnrepository.com\/artifact\/org.apache.struts\/struts2-blank\/2.3.32\">https:\/\/mvnrepository.com\/artifact\/org.apache.struts\/struts2-blank\/2.3.32<\/a><\/li>\n<li><a href=\"http:\/\/central.maven.org\/maven2\/org\/apache\/struts\/struts2-blank\/2.3.32\/struts2-blank-2.3.32.war\">http:\/\/central.maven.org\/maven2\/org\/apache\/struts\/struts2-blank\/2.3.32\/struts2-blank-2.3.32.war<\/a><\/li>\n<\/ul>\n<p>=END=<\/p>\n","protected":false},"excerpt":{"rendered":"<p>=Start= \u7f18\u7531\uff1a \u8bb0\u5f97\u6211\u521a\u6bd5\u4e1a\u7684\u65f6\u5019Struts2\u7206\u51fa\u4e86\u4e00\u4e2a\u9ad8\u5371\u6f0f\u6d1e(Struts2-016)\uff0c\u4ece\u6b64\uff0cS [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,25],"tags":[672,784,781,37,782],"class_list":["post-3282","post","type-post","status-publish","format-standard","hentry","category-knowledgebase-2","category-security","tag-exp","tag-poc","tag-rce","tag-security","tag-struts2"],"views":10848,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/3282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=3282"}],"version-history":[{"count":1,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/3282\/revisions"}],"predecessor-version":[{"id":3283,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/3282\/revisions\/3283"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=3282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=3282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=3282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}