Shulou(Shulou.com)05/31 Report--

This article shows you how to reproduce the Struts2 S2-061 remote command execution vulnerability CVE-2020-17530. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction to 0x00

The Struts2 framework is an open source web application architecture for developing Java EE web applications. It leverages and extends Java Servlet API to encourage developers to adopt the MVC architecture. Struts2 takes the excellent design idea of WebWork as the core, absorbs some of the advantages of Struts framework, and provides a cleaner Web application framework for the implementation of MVC design patterns.

Overview of 0x01 vulnerabilities

Apache Struts disclosed the S2-061 Struts remote code execution vulnerability (CVE-2020-17530) on December 8, 2020. There may be OGNL expression injection vulnerabilities in situations such as the use of certain tag, resulting in remote code execution, which may lead to hazards such as control servers. S2-061 is the bypass of S2-059 sandboxie

0x02 scope of influence

Apache Struts 2.0.0-2.5.25

0x03 environment building

1. S2-061 vulnerability is complex to build vulnerability environment, and this vulnerability is bypassed after S2-059 vulnerability repair, so here we use the docker environment in vluhub to download the latest vluhub.

Vluhub download address: https://github.com/vulhub/vulhub

two。 Because docker is used to build, it is necessary to install docker and docker-compose commands in the virtual machine. Please install the installation method on Baidu.

3. After the vulhub download is completed, input the virtual machine to decompress and enter S2-061

Cd vulhub-master/struts2/s2-061

4. After entering the directory, use docker-compose up-d to start the vulnerability environment

5. Access the destination address http://your-ip:8080 in the browser

Recurrence of 0x04 vulnerabilities

1. Use payload at url to verify that the vulnerability exists. Note: you need to use url encoding to view the results in the view element.

? id=%25%7b+%27test%27+%2b+ (11+%2b+11) .toString () 7d

two。 Method 1, you can see the execution addition, where payload is constructed directly to execute the command

3. Method 2, use burp to grab the packet and send it to the playback module on the home page, and modify it to POST transmission.

Payload:

4. Bounce shell. Bounce command requires base64 encoding.

Coded address: http://www.jackson-t.ca/runtime-exec-payloads.html

5. Method 3, use scripts to execute commands quickly

Summary

1. The reproduction of this vulnerability requires the use of docker environment and basic docker commands.

two。 Need to use burp to change the package, need to be able to use the basic burp method

3. Need to use linux command, need to understand the usage and meaning of linux command

4. Using python scripts to verify, you need to install the python3 environment

0x05 repair recommendation

1. Upgrade to the latest version is recommended

The above is how to reproduce the Struts2 S2-061 remote command execution vulnerability CVE-2020-17530. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.