Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net


Through this article, we mainly learn how Apache Struts to achieve OGNL injection. Our examples will be set forth in the Struts of the two critical vulnerabilities: CVE-2017-5638(Equifax information disclosure and CVE-2018-11776。 Apache Struts is a free open source framework for creating modern Java Web applications. Apache Struts has many serious vulnerabilities, one of its characteristics is to support OGNL object graph navigation language, which is also many loopholes is the main reason. One vulnerability, CVE-2017-5638 directly leads to the 2017 Equifax information leakage, exposure to more than 1. 45 million US citizens personal information. Although the company's annual revenue more than 30 billion dollars, but they still did not escape the Apache Struts MVC framework of a known vulnerability attack. This paper mainly introduces the Apache Struts, and then will guide us how to modify a simple application, the use of OGNL and achieve exploits. Next, we will study in depth the platform on a number of Public Exploit way, and try to use OGNL injection vulnerability. Although Java developers are familiar with Apache Struts, but the security community often does not do however, which is why we wrote this article for the reason. Getting started Running a vulnerable Struts application need to install Apache Tomcat [Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>a). The package of the latest version can be downloaded here as a ZIP. The binary file decompress to a location of your choice we use/var/tomcat, and continues: cd /var/tomcat/bin # go to the unzipped folder chmod +x *. sh # set the script to executable file ./ startup.sh # run the startup script Our visit to http://localhost:8080/, and check whether the site running. After the confirmation, we are ready to download the old version of the Apache Struts framework, which is vulnerable to our upcoming demo of the vulnerability attack. This page provides to meet our needs 2. 3. 30 version The Struts in. In the extract compressed content, we should be in the/apps position seen under struts2-showcase. war file. This is one use of the Struts compiled and ready to deploy demo application. Just need the WAR file is copied to/var/tomcat/webapps, and access http://localhost:8080/struts2-showcase/showcase. action confirm whether it is valid. [Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)the basics If you have a good grasp of the Java Web applications related to simple concepts such as Servlets, then you would have been leading. If you are new to the Java Servlet knows nothing about, it can be understood simply as a component, its purpose is to create for in the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>)hosted on Web applications the Web container, in addition, it is also responsible for the processing of the/struts2-showcase and other Java applications request. To the processing Servlet, the[Web server](<http://www.myhack58.com/Article/sort099/sort0100/Article_100_1.htm>), for example Apache Tomcat requires some Assembly: 1\. Apache Coyote is to support the HTTP/1.1 Protocol connector. It allows the Servlet container components of Apache Catalina to communicate. 2\. Apache Catalina container when determined in the Tomcat receives an HTTP request, you need to call which the Servlet container. It will also HTTP request and response from the text is converted to a Servlet using a Java object. ! [](/Article/UploadPic/2019-3/201933032655612. png) Here you can find information about the Java Servlet specification for all the details of the latest version 4. 0 in. Apache Struts basics With Java Web applications using the Apache Struts Framework application can have multiple Servlet. This article's main purpose is not to let everyone understand this to build the Web application framework, but on the surface the hang of the basic concepts. We can step-by-step tutorial on the subject. The Apache Struts framework relies on MVC model-View-Controller architecture pattern. IT application very helpful, because you can separate the main application components: 1\. Model: represents the application data, for example, using“orders”and other data of the class. 2\. View: is the output of the application, the visual part. 3\. The controller: receiving a user input, using the model to generate the view. 4\. Action Actions: the Apache Struts in the model. 5\. Intercept the Interceptors: the part of the controller, they can be in processing the request before or after the invocation of the hook. 6\. Value stack/OGNL: a set of objects, for example, model or action object. 7\. Result/result type: used to select business logic view. 8\. View of technology: the processing of data display. You can see below the Apache Struts Web application General architecture: ! [](/Article/UploadPic/2019-3/201933032655347.jpg) Controller receives the HTTP request, the FilterDispatcher is responsible for according to the request to invoke the right Operation. And then perform the operation, the view component is ready for a result and sends it to the HTTP response in the user. Struts application example You want to start from scratch to write a Struts application takes some time, so we will use an already available rest-showcase demo application, which is a basic front-end a simple REST API. To compile the application, we only need to go into its directory and use Maven to compile: cd struts-2.3.30/src/apps/rest-showcase/ mvn package In the target directory, we can find the following files: struts2-rest-showcase. war. You can copy it to the Tomcat server's webapps directory, for example:/var/tomcat/webapps to install it. The following is the application source code: ! [](/Article/UploadPic/2019-3/201933032655780. png) The following are the available file description: 1\. Order. java is model, which is a storing order information of a Java class. public class Order { String id; String clientName; int amount; ... } 2\. OrdersService. java is a Helper class, which will be the Orders stored in the HashMap of the total, and its management. public class OrdersService { **[1] [[2]](<93410_2.htm>) [[3]](<93410_3.htm>) [[4]](<93410_4.htm>) [[5]](<93410_5.htm>) [[6]](<93410_6.htm>) [next](<93410_2.htm>)**