It took two days to record one: background:
Apache Strust2 released its latest security bulletin on August 22, 2018, and Apache Struts2 has a high-risk vulnerability to remote code execution.
Second: The vulnerability of the creation principle:
1. Need to know the action name of the corresponding jump request
The properties in the 2.struts2 frame are set to:
1) Struts.mapper.alwaysSelectFullNamespace = True
2) type = "Redirectaction" or type = "Chain"
Third: Malicious code to run the process:
1. Struts2-core.jar!/org/apache/struts2/dispatcher/servletactionredirectresult.class
2. Returns the URI string via geturifromactionmapping ();
3. The value obtained by Geturifromactionmapping is assigned to the tmplocation variable, and then the expression enters the SetLocation method
4. The servletactionresult is called through the Super.execute method, and the Conditionalparse method is followed in the Execute method, In this method, the key method of Ongl execution is called Translatevariables.
5. The obtained param value is passed into the Translatevariables () method, resulting in OGNL expression execution in the Ongltextpaser.
:
Four: Exploit
It is possible to construct URI requests for malicious exploitation, to probe server-related information, and to remotely control the server.
Remote control construction request, popup shell window for user to execute command commands
V: Defensive measures:
- Upgrade the framework version to the latest official version
- For web apps, try to keep your code safe, and modify the two property settings that you mentioned earlier
Apache Struts2 High-risk Vulnerability (s2-057cve-2018-11776)