catalog

. Description

. Effected Scope

. Exploit Analysis

. Principle Of Vulnerability

. Patch Fix

1. Description

OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation.
OGNL evaluation was already addressed in S2-003 and S2-005 and S2-009, but, since it involved just the parameter's name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially.
The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameter.
This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

2. Effected Scope

Struts Showcase App 2.0. - Struts Showcase App 2.3.

3. Exploit Analysis

0x1: POC

http://localhost:8080/S2-XX/Login.action?skillName=%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false) #hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}

Relevant Link:

http://struts.apache.org/docs/s2-012.html

4. Principle Of Vulnerability

truts2中可以通过${express}或%{express}来引用ongl表达式,当配置一个action中有${input}或%{input}且input来自于外部输入时,给input赋值%{exp},从而导致任意代码执行
5. Patch Fix

0x1: upgrade struts2

It is strongly recommended to upgrade to Struts 2.3.14.1, which contains the corrected OGNL and XWork library.

//The OGNLUtil class was changed to deny eval expressions by default.

Relevant Link:

Copyright (c) 2015 Little5ann All rights reserved

struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. "此站点已经禁用应用程序"在sharepoint 2013中通过v2013部署app提示该错误

    该错误的原文是:the apps are disabled in this site 可以在yahoo或者bing上搜索这个错误,可以找到解决办法: msdn上也有该错误解决办法,但是如果搜索中文,目 ...

  6. SharePoint 2013 开发——开发自定义操作APP

    博客地址:http://blog.csdn.net/FoxDave 自定义操作即我们所说的Ribbon和ECB(Edit Control Block),在SharePoint 2013之前,我们可以 ...

  7. struts2 CVE-2012-0838 S2-007 Remote Code Execution && Hotfix

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  8. 关于vs生成app错误提示,提醒Execution failed for task ':transformClassesWithDexForDebug'.

    昨天将vs和android SDK更新之后生成app之后发现app生成出错,报错如下: FAILURE: Build failed with an exception. * What went wro ...

  9. 利用struts2的json返回方式来控制jquery.validate的remote框架,进行表单验证

随机推荐

  1. 获取iTextSharp 的image 报错

    获取itextsharp类库的image对象的时候报错  outofmemory  .经过艰苦的测试发现jpeg类型是可行的的 iTextSharp.text.Image je = iTextShar ...

  2. 认识HTML5的WebSocket

    在HTML5规范中,我最喜欢的Web技术就是正迅速变得流行的WebSocket API.WebSocket提供了一个受欢迎的技术,以替代我们过去几年一直在用的Ajax技术.这个新的API提供了一个方法 ...

  3. TopCoder

    在TopCoder下载好luncher,网址:https://www.topcoder.com/community/competitive%20programming/ 选择launch web ar ...

  4. 【REST WCF】30分钟理论到实践

    先来点理论知识,来自 http://www.cnblogs.com/simonchen/articles/2220838.html 一.什么是Rest REST软件架构是由Roy Thomas Fie ...

  5. Android之捕获TextView超链接

    应该是好久没有写有关技术类的文章了,今天分享一篇捕获TextView超链接的文章,希望对大家有所帮助,我终于在歪路上回归正途了.这个捕获TextView超链接应该算是比较常用吧,如果你会了,就不用看了 ...

  6. 移除首页->重回首页

    之前发布了一篇文章<订餐系统之获取淘宝外卖订单>,因为是关于淘宝外卖的,所以文中出现这个词时,都加了链接,还设置了 target='_blank',就是为了让看的人方便点击,查看.后来,博 ...

  7. [【codechefCHSEQ22】Chef and Favourite Sequence(并查集)

    题目:http://hzwer.com/3419.html 题意:给你一个全是0的数列,有m种操作[Li,Ri],每次操作就将下标处于[Li,Ri]的元素取反.你可以选若干个操作来使这个数列最后变成别 ...

  8. 基本数据类型-列表_元组_字典_day4

    一.列表(list)书写格式:[] #通过list类创建的 li = [1, 12, 9, ", 10, ],"庞麦郎"], "ales", True ...

  9. HTML5基础知识(3)--required属性

    1.required属性规定在提交之前要填写输入域(不能为空). 2.代码 <body> <form> 账号:<input type="text" r ...

  10. [转]Mybatis出现:无效的列类型: 1111 错误

    原文地址:http://www.cnblogs.com/sdjnzqr/p/4304874.html 在使用Mybatis时,不同的xml配置文件,有的会提示:无效的列类型: 1111 比如这个sql ...