catalog

. Description
. Effected Scope
. Exploit Analysis
. Principle Of Vulnerability
. Patch Fix

1. Description

OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation.
OGNL evaluation was already addressed in S2-003 and S2-005 and S2-009, but, since it involved just the parameter's name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially.
The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameter.
This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

2. Effected Scope

Struts Showcase App 2.0. - Struts Showcase App 2.3.

3. Exploit Analysis

0x1: POC

http://localhost:8080/S2-XX/Login.action?skillName=%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false) #hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}

Relevant Link:

http://struts.apache.org/docs/s2-012.html

4. Principle Of Vulnerability

truts2中可以通过${express}或%{express}来引用ongl表达式,当配置一个action中有${input}或%{input}且input来自于外部输入时,给input赋值%{exp},从而导致任意代码执行
5. Patch Fix

0x1: upgrade struts2

It is strongly recommended to upgrade to Struts 2.3.14.1, which contains the corrected OGNL and XWork library.
//The OGNLUtil class was changed to deny eval expressions by default.

Relevant Link:

Copyright (c) 2015 Little5ann All rights reserved

struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. "此站点已经禁用应用程序"在sharepoint 2013中通过v2013部署app提示该错误

    该错误的原文是:the apps are disabled in this site 可以在yahoo或者bing上搜索这个错误,可以找到解决办法: msdn上也有该错误解决办法,但是如果搜索中文,目 ...

  6. SharePoint 2013 开发——开发自定义操作APP

    博客地址:http://blog.csdn.net/FoxDave 自定义操作即我们所说的Ribbon和ECB(Edit Control Block),在SharePoint 2013之前,我们可以 ...

  7. struts2 CVE-2012-0838 S2-007 Remote Code Execution && Hotfix

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  8. 关于vs生成app错误提示,提醒Execution failed for task ':transformClassesWithDexForDebug'.

    昨天将vs和android SDK更新之后生成app之后发现app生成出错,报错如下: FAILURE: Build failed with an exception. * What went wro ...

  9. 利用struts2的json返回方式来控制jquery.validate的remote框架,进行表单验证

随机推荐

  1. .NET Core)的ZooKeeper异步客户端

    支持断线重连.永久watcher.递归操作并且能跨平台(.NET Core)的ZooKeeper异步客户端   阅读目录 什么是ZooKeeper? 项目介绍 提供的功能 使用说明 FAQ 在公司内部 ...

  2. NFine的后台源码

    Chloe官网及基于NFine的后台源码毫无保留开放   扯淡 经过不少日夜的赶工,Chloe 的官网于上周正式上线.上篇博客中LZ说过要将官网以及后台源码都会开放出来,为了尽快兑现我说过的话,趁周末 ...

  3. centos6 pyotp bug修复

    yum install python-pip -ypip install pyotp vim /usr/lib/python2.6/site-packages/pyotp/utils.py... 49 ...

  4. hessian学习

    hessian是一个采用二进制格式传输的服务框架,相对传统soap web service,更轻量,更快速.官网地址:http://hessian.caucho.com/ 目前已经支持N多语言,包括: ...

  5. struts2使用Convention Plugin在weblogic上以war包部署时,找不到Action的解决办法

    环境: struts 2.3.16.3 + Convention Plugin 2.3.16.3 实现零配置 现象:以文件夹方式部署在weblogic(10.3.3)上时一切正常,换成war包部署,运 ...

  6. vmware安装cent os 6.5 + oracle 11g xe + jboss eap 6.2 + weblogic 12c+ webshpere mq 7.5

    前言: mac系统发展速度确实很快,短短数年,mac os上已经能网银支付(中行.招行.工商.支付宝等均已全面支持mac os了),windows上的经典常用软件:qq.飞信.旺旺.有道词典.有道云笔 ...

  7. C118+Osmocom-bb+Openbts搭建小型基站

    演示图片: 演示视频: 交流论坛:GsMsEc 交流Q群:

  8. Theano3.3-练习之逻辑回归

    是官网上theano的逻辑回归的练习(http://deeplearning.net/tutorial/logreg.html#logreg)的讲解. Classifying MNIST digits ...

  9. SQL基础之GROUPING

    1.grouping sets 记得前几天第一次接触grouping sets时,笔者的感觉是一脸懵逼. 后来一不小心看到msdn上对grouping sets的说明,顿时豁然开朗,其实groupin ...

  10. 强迫症的福利——我的第一个VS插件,对using排序!

    首先来看看VS自带的using整理功能: 长短不一,看着让人生厌!这是哪个门子的整理?越来越乱了好吗! 难道就没有一款,由短到长——金字塔搬的排序方案吗? 于是各种百度: “VS 插件 using排序 ...