On September 7, Apache struts released s2-053 security notice, vulnerability number: cve-2017-12611. The vulnerability lies in rce caused by FreeMarker tag using expression constant or forced expression. Official summary:
A possible Remote Code Execution attack when using an unintentional expression in Freemarker tag instead of string literals
Struts 2.0.1 – Struts 2.3.33,Struts 2.5 – Struts 2.5.10
It's easy to deploy the environment with war packages or dockers. Open the page, enter the expression% {33-1} for testing, and it is found that the execution is successful. Return 32: use exp to create an account, exp is as follows:
Successfully created the iamlsa account successfully! PS: I tried to play Calc's exp again, but it still failed. I was depressed ###########################################################20170924 update: Win 7 successfully played Calc, payload:
############################################################
- Upgrade to Apache struts 2.5.12 or 2.3.34
- FreeMarker label content should not be obtained by request
- Initialize the value property with a read-only property (getter property only)
- Do not use the following structure
<@s.hidden name=”redirectUri” value=redirectUri /><@s.hidden name=”redirectUri” value=”${redirectUri}” />