Shulou(Shulou.com)05/31 Report--

This article is about how to build and analyze the vulnerability environment of Struts2 S2-057. the editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

Cause of loophole

The official description of the loophole is:

1. Defining a XML configuration may result in remote code execution if the namespace value is not set and is not set in the upper action configuration (Action Configuration) or when the wildcard namespace is used.

Remote code execution may occur when the 2.url tag does not set the value and action values and the upper-level actions are not set or the wildcard namespace is used.

For specific analysis, please refer to:

Https://www.freebuf.com/vuls/182006.html

Debugging environment building

1) download the official source code:

Git clone https://github.com/apache/Struts.git

2) switch to 2.5.12 branch:

Git checkout STRUTS_2_5_10

3) copy the entire src/apps/showcase folder in the source code package and create a new project

4) Import the maven project with IDEA or eclipse

5) modify the configuration file struts-actionchaining.xml in src/main/resoureces to:

Register2

Visit http://localhost:8080/struts2-showcase/%24{1+2}/actionChain1.action

Url re-redirect to: http://localhost:8080/struts2-showcase/3/register2.action

The ognl injection is generated by calculating the 1x2 in location.

Loophole analysis

First, the handling of the default result object in strut2. These default result type are processed by com/opensymphony/xwork2/DefaultActionInvocation.java.

The excute method of this specific result object (redirectAction) is called.

Notice that in the struts-actionchaining.xml configuration file, the type of the tag is redirectAction, so correspondingly find the processing class of redirectAction: org.apache.struts2.result.ServletActionRedirectResult, and drop the breakpoint at the execute method

Send request: http://localhost:8080/struts2-showcase/%24{1+2}/actionChain1.action

The program jumps to the breakpoint, and after further execution, since namespace is not specified when configuring xml, the namespace here is null, and the namespace is re-assigned to / ${1room2}.

Finally, the location is set to / ${1cm 2} / register2.action

Continue f5 into the function at super.execute (invocation) and finally trace to the execute method of StrutsResultSupport

The location value here is / ${1q2} / register2.action, and the final result is / 3/register2.action after executing the ognl expression.

At this point, the ognl expression executes successfully.

Defense

Upgrade the framework version to the latest official version

The above is how to build and analyze the vulnerability environment of Struts2 S2-057. the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.