Shulou(Shulou.com)05/31 Report--

How to analyze the vulnerabilities of Struts2-057. in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

A remote code execution vulnerability in struts2 has just broken out in Struts2-057, 2018 and 22. There are many articles on the Internet that repeat the vulnerability. Here, we do not intend to reproduce the vulnerability, but just study the vulnerability at the code level.

The official description of the loophole is:

1. Defining a XML configuration may result in remote code execution if the namespace value is not set and is not set in the upper action configuration (Action Configuration) or when the wildcard namespace is used.

Remote code execution may occur when the 2.url tag does not set the value and action values and the upper-level actions are not set or the wildcard namespace is used.

Namespace is used to divide action into logically different modules, which can effectively avoid the situation of action duplicates. The default namespace is empty and will only be found in this namespace when none of the namespace can be found.

Explain the first case first: in the struts.xml configuration file, if namespace is not set for the result defined in the underlying xml configuration, namespace is not set in the upper tag, or wildcard namespace is used, there may be a remote code execution vulnerability. (among the various result types, only redirectAction, chain, and postback have the parameter namespace. )

Example:

A2.action

The second case: remote code execution may occur if the value and action values are not set in the url tag of the struts, and the associated action tag is not set or the wildcard namespace is used.

Example:

Struts2 Tags. Hello, Struts2 Tag.

FilterDispatcher is the core controller of struts2, which is responsible for intercepting all user requests, and then FilterDispatcher decides which Action to call by calling ActionMapper (interface).

The first step to the problem is here:

By default, Struts2 calls getMapping in the DefaultActionMapper implementation class, which parses the request to determine which action is called (error namespace, name, method), where ActionMapper obtains the namespace through the parseNameAndParameters method.

You can talk about the attribute alwaysSelectFullNamespace. When alwaysSelectFullNamespace is true, you will strictly follow the namespace provided by uri to find action. If you cannot find it, you will report 404. In this case, even if we can construct any namespace, we will report an error of 404 before we request namespace as an ognl expression before executing code, and the attack will not succeed. Fortunately, the default value of alwaysSelectFullNamespace is true, at which point

1. Suppose the URI of the request path, for example, url is: http://localhost:8081/ project name / path2/path3 / addUser.action

two。 First, look for the package whose namespace is / path2/path3. If the package exists, look for the action with the name addUser in the package. If it is found, go to step 5; otherwise, go to step 3 if the package does not exist.

3. Look for the package whose namespace is / path2. If the package exists, look for the action with the name addUser in the package. If it is found, go to step 5; otherwise, go to step 4 if the package does not exist.

4. Look for the package whose namespace is /. If the package exists, look for the action named addUser in the package. If you find it, go to step 5; if it doesn't exist, go to step 5.

5. If there is a default namespace, look for the action with the name addUser under the package, and execute it if it is found, otherwise the page prompt cannot find action; or the prompt surface prompts you to find action.

This is why the attack described earlier requires the condition "when namespace is not set in the upper tag or when the wildcard namespace is used", in which case any namespace can be constructed without an error in the request. (this is the source point.)

The second step of the problem (that is, the sink point):

It's not enough to construct an arbitrary namespace; you need a flashpoint. Here we analyze it with the return type of edirectAction, and the corresponding class of redirectAction is org.apache.struts2.result.ServletActionRedirectResult. In fact, there is a problem with not only this class, but also the return types chain and postback.

After the requested Action is executed, ServletActionRedirectResult.execute () is called to parse the redirected Result. After the namespace and name are reorganized by ActionMapper.getUriFromActionMapping (), the location with namespace is put into the parent class ServletRedirectResult by setLocation () to call the exectue method, and then ServletRedirectResult calls the exectue method in the parent class StrutsResultSupport.

Finally, the conditionalParse (location,invocation) method is called by StrutsResultSupport, and OgnlTextParser.evaluate () is called by TextParseUtil.translateVariables () to parse the OGNL expression in the execution url, resulting in code execution.

The answer to the question on how to analyze Struts2-057loopholes is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.