catalog

. Description

. Effected Scope

. Exploit Analysis

. Principle Of Vulnerability

. Patch Fix

1. Description

OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation.
OGNL evaluation was already addressed in S2-003 and S2-005 and S2-009, but, since it involved just the parameter's name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially.
The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameter.
This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

2. Effected Scope

Struts Showcase App 2.0. - Struts Showcase App 2.3.

3. Exploit Analysis

0x1: POC

http://localhost:8080/S2-XX/Login.action?skillName=%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false) #hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}

Relevant Link:

http://struts.apache.org/docs/s2-012.html

4. Principle Of Vulnerability

truts2中可以通过${express}或%{express}来引用ongl表达式,当配置一个action中有${input}或%{input}且input来自于外部输入时,给input赋值%{exp},从而导致任意代码执行
5. Patch Fix

0x1: upgrade struts2

It is strongly recommended to upgrade to Struts 2.3.14.1, which contains the corrected OGNL and XWork library.

//The OGNLUtil class was changed to deny eval expressions by default.

Relevant Link:

Copyright (c) 2015 Little5ann All rights reserved

struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. "此站点已经禁用应用程序"在sharepoint 2013中通过v2013部署app提示该错误

    该错误的原文是:the apps are disabled in this site 可以在yahoo或者bing上搜索这个错误,可以找到解决办法: msdn上也有该错误解决办法,但是如果搜索中文,目 ...

  6. SharePoint 2013 开发——开发自定义操作APP

    博客地址:http://blog.csdn.net/FoxDave 自定义操作即我们所说的Ribbon和ECB(Edit Control Block),在SharePoint 2013之前,我们可以 ...

  7. struts2 CVE-2012-0838 S2-007 Remote Code Execution && Hotfix

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  8. 关于vs生成app错误提示,提醒Execution failed for task ':transformClassesWithDexForDebug'.

    昨天将vs和android SDK更新之后生成app之后发现app生成出错,报错如下: FAILURE: Build failed with an exception. * What went wro ...

  9. 利用struts2的json返回方式来控制jquery.validate的remote框架,进行表单验证

随机推荐

  1. Linux wait函数详解

    wait和waitpid出现的原因 SIGCHLD --当子进程退出的时候,内核会向父进程SIGCHLD信号,子进程的退出是个异步事件(子进程可以在父进程运行的任何时刻终止) --子进程退出时,内核将 ...

  2. 工作随笔——Java调用Groovy类的方法、传递参数和获取返回值

    接触Groovy也快一年了,一直在尝试怎么将Groovy引用到日常工作中来.最近在做一个功能的时候,花了点时间重新看了下Java怎么调用Groovy的方法.传递参数和获取返回值. 示例Groovy代码 ...

  3. Android内容观察者

    内容观察者是做什么的? 内容观察者主要用来观察数据库是否被操作了. 以查询数据库为例: 首先注册一个内容观察者(App1): //false 观察的Uri必须是一个确切的Uri 如果是true,只需要 ...

  4. md5加密31位

    今天将其它服务器里的用户数据导入到新的系统数据库中 出现密码不匹配情况 查看原来数据库中密码得到结果位: 原服务器密码 明文 正确32位密闻 67b14728ad9902aecba32e22fa4f6 ...

  5. easyui添加生成tab和子页面jsp

    <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>& ...

  6. Day Six(Beta)

    站立式会议 站立式会议内容总结 331 今天:完成闹钟功能,远程数据库采用bmob的解决方案,应用初始化bmob 遇到问题:闹钟没有取消提醒 以及多次设置提醒的问题 明天:修改闹钟问题,完成文件下载( ...

  7. springMvc的第一个demo

    1.下载jar包 http://repo.spring.io/libs-release-local/org/springframework/spring/4.2.3.RELEASE/ 2.下载源码 j ...

  8. Java文件拷贝

    package com.lxm.demos; import java.io.BufferedReader; import java.io.BufferedWriter; import java.io. ...

  9. springMVC之applicationcontext.xml配置说明

    <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.sp ...

  10. Java设计模式(三) 装饰模式

    装饰模式:动态的将责任附加到对象上,想要扩展功能,装饰者提供有别于继承的另一种选择. 1,创建顶级类 package com.pattern.decorate; public abstract cla ...