This is a vulnerability published by no one, occasionally see the code discovery. In fact, there are not many people used in this code, and you need to meet two situations before you can do it. I guess that the big cow that Struts2 remote code is issued, and it is impossible to find such a mentally loophole. So, or if there is any reason you can’t announce, or sell it, then it is good, this time I started, hahaha!
Let’s talk about the principle:
Struts2 allows Action to have multiple return types, including XSLT types, which allows users to submit a file address and to resolve it as a xslt file, regardless of the extension.
This is the XSLTRESULT file code:
http://svn.apache.org/repos/ASF/Struts/Struts2/trunk/core/src/main/java/org/apache/sltrsult.java// Get user submission “XSLT. location “of the value of String pathFromRequest ServletActionContext.getRequest () getParameter. (” xslt.location “); path pathFromRequest; URL resource ServletActionContext.getServletContext () getResource (path);. // parse the file submitted by the user’s address is xslttemplates factory.newTemplates NEW streamsource (resource.openStream ()));
And XSLT parsing will allow Java static methods, so as long as one file is uploaded on the server, for example
XML Version "1.0" Encoding "UTF-8"?>