S2-061 bypasses the fix for S2-059 in Apache Struts2, which strengthened the OGNL expression sandbox. The vulnerability affects Struts versions 2.0.0 through 2.5.25. To reproduce, start a Struts2 2.5.25 environment and send a crafted packet to execute commands like 'id', with results displayed on the page.
S2-061 is a bypass of S2-059. The official Struts2 fix for S2-059 involved strengthening the OGNL expression sandbox, but S2-061 circumvents that sandbox. This vulnerability affects Struts versions 2.0.0 through 2.5.25.
S2-061 Remote Code Execution Vulnerability (CVE-2020-17530)
S2-061 is a bypass of S2-059. The official Struts2 fix for S2-059 involved strengthening the OGNL expression sandbox, but S2-061 circumvents that sandbox. This vulnerability affects Struts versions 2.0.0 through 2.5.25.
References:
Vulnerability Environment
Run the following command to start a Struts2 2.5.25 environment:
After the environment starts, visit http://target-ip:8080/index.action to see the home page.
Vulnerability Reproduction
Send the following request packet to execute the id command:
As shown, the output of the id command will be displayed directly on the page: