Struts2 vulnerability analysis of the Ognl expression characteristics of the initiator of the idea-vulnerability warning-the black bar safety net

ID MYHACK58:62201336541
Type myhack58
Reporter 佚名
Modified 2013-01-03T00:00:00


0×0 1 Summary

0×0 2 background and principles of analysis

0×0 3 example simulation and tracking

0×0 4 Summary

0×0 1 Summary: In the Ognl expression, will be the brackets“()”contains the variable content as a Ognl expression execution. Ognl expressions of this characteristic, triggering a new attack ideas. By the malicious code is stored into a variable, and then call in Ognl expressions in the function that uses this variable to execute malicious code, in order to achieve the attack.

This article will be in the CVE-2 0 1 1-3 9 2 3 vulnerability as an example, the description of this use of the idea of the specific process. However, the content of this article is not just limited to this vulnerability, in the actual audit process, this idea can be used to find a lot of similar vulnerabilities.

0×0 2 background and principles of analysis:

This vulnerability and CVE-2 0 1 0-1 8 7 0 is very similar, is through the Ognl expression to perform the java, to achieve remote code execution effect. We first review under the CVE-2 0 1 0-1 8 7 0 vulnerability, it's attacker through the get method to submit the Ognl expression, directly to call java static methods to achieve code execution. This issue burst to the rear, The struts official enhanced for user-submitted content of the audit, prohibiting the use of“#”and“\”and other special characters as a parameter to submit.

Then we would have no way to remotely execute Ognl expressions? Of course not, Ognl provides us with another implementation of its methods, we look at the official document part of content:

For example, this expression


looks up the fact variable, and interprets the value of that variable as an OGNL expression using the BigInteger representation of 3 0 as the rootobject. See below for an example of setting the fact variable with an expression that returns the factorial of its argument. Note that there is an ambiguity in OGNL's syntax between this double evaluation operator and a method call. OGNL resolves this ambiguity by calling anything that looks like a method call, a method call. For example, if the current object had a fact property that held an OGNL factorial expression, you could not use this approach to call it


because OGNL would interpret this as a call to the fact method. You could force the interpretation you want by surrounding the property reference by parentheses:


Ognl expression to provide us with a“#fack()”so that the calling context object methods function, we need to pay attention to is the red text, probably means the following: If you want to call the context object's methods, you can use the“(fact)()”this format of writing.

While in the testing process found that(one)(two)this form of Ognl expressions, the first one as another Ognl expression is executed first again, and then again to continue to his later work. So, if the program in the call a can perform the Ognl expression of the function, we pass variables to the malicious expressions of the incoming, then the struts do those filter will become a fan“transparent door”.

[1] [2] [3] next