Shulou(Shulou.com)05/31 Report--

How to find the remote execution code of Apache Struts through Semmle QL. I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Preface

In April 2018, a new Apache Struts remote code execution vulnerability was reported. In a Struts-specific configuration, access to a specially crafted URL can trigger this vulnerability. The vulnerability number is CVE-2018-11776 (S2-057). This article describes the process of discovering vulnerabilities.

Mapping attack surface

Many vulnerabilities involve the flow of data from untrusted sources (for example, user input) to a particular location, in which case the data can be exploited in dangerous ways (SQL queries, deserialization, some other interpretation languages, etc.). For specific projects, a good way to start working on such issues is to look at known vulnerabilities in older versions of the software. This gives you an in-depth understanding of the various sources and receiving points you are looking for.

In this case, the author first looked at RCE vulnerabilities S2-032 (CVE-2016-3081), S2-033 (CVE-2016-3687) and S2-037 (CVE-2016-4438). Like many other RCE in Struts, these RCE involve what is considered to be illegal input of OGNL expressions, allowing attackers to run arbitrary code on the server. These three vulnerabilities are particularly interesting not only because they give us some insight into the internal work of Struts, but also because it takes three times to fix the same problem!

All three problems are the result of remote input passed as a parameter to the method OgnlUtil::getValue () through the variable methodName.

String methodName = proxy.getMethod (); / /

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.