Shulou(Shulou.com)05/31 Report--

This article analyzes "how to reproduce remote code execution vulnerabilities in Struts2-057". The content is detailed and easy to understand, and friends who are interested in "how to reproduce Struts2-057remote code execution vulnerabilities" can follow the editor's train of thought to read it in depth. I hope it will be helpful to everyone after reading. Let's follow the editor to learn more about "how to reproduce remote code execution vulnerabilities in Struts2-057".

Introduction to 0x00

Apache Struts is an open source project maintained by the Apache Software Foundation in the United States. Struts2 Framework is an open source web application framework for developing Java EE web applications. It leverages and extends Java Servlet API to encourage developers to adopt the MVC architecture. Struts2 takes the excellent design idea of WebWork as the core, absorbs some of the advantages of Struts framework, and provides a cleaner Web application framework for the implementation of MVC design patterns.

Overview of 0x01 vulnerabilities

The vulnerability occurs when the website configures XML without setting the value of namespace, and when the wildcard namespace is not set or used in the upper action configuration, it may lead to remote code execution vulnerabilities. It is also possible that remote code execution vulnerabilities occur because the url tag does not set the values of value and action, and the upper actions do not set or use the wildcard namespace.

0x02 affects version

Apache Struts 2.3-Struts 2.3.34

Apache Struts 2.5-Struts 2.5.16

0x03 environment building

1. Here we use the docker environment of vulhub to build it. Download it at vulhub:

Https://github.com/vulhub/vulhub

two。 After the download is completed, the installation method of docker-compose / / is searched by itself, and after the installation is completed, it can be used in the vulhub cd / home/demo/vulhub-master/struts2/s2-057 / directory.

Docker-compose up-d pull image

3. The done shown below indicates that the pull is successful. When you visit http://IP:8080/struts2-showcase in the browser, you can see the Struts2 test page indicating that the construction is successful.

4. Vulnerability exploitation condition

AlwaysSelectFullNamespace is set to true, where the value of namespace is obtained from URL. URL is controllable, so namespace is also controllable.

4.2 action elements do not have a set of namespace attributes, or use wildcards. This namespace will be passed by the user from URL and parsed into OGNL expressions, resulting in the vulnerability of remote code execution.

Recurrence of 0x04 vulnerabilities

1. Enter http://IP:8080/struts2-showcase/${(123+123)}/actionChain1.action at url and refresh to see that the middle digits are added.

two。 Modify the payload in the middle ${(123x123)} to replace the exp written in the code to execute the command. The result can be seen visually by using burp to grab the package and modify it.

Payload: / / Note: url encoding is required for payload

3. Grab the packet and send it to the Repeater (playback) module, add the url encoded paylaod to the url, and then send it to see the echo result in the header.

0x05 repair recommendation

1. Temporary solution: when the wildcard namespace is not set or used in the upper action configuration, verify the namespace in all XML configurations and verify the value and action of all url tags in JSP.

two。 The latest version has been officially released to fix this vulnerability. Affected users should upgrade to Apache Struts 2.3.35 or Struts 2.5.17 as soon as possible.

On how to carry out Struts2-057 remote code execution vulnerability reproduction is shared here, I hope that the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.