catalog

. Description

. Effected Scope

. Exploit Analysis

. Principle Of Vulnerability

. Patch Fix

1. Description

OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation.
OGNL evaluation was already addressed in S2-003 and S2-005 and S2-009, but, since it involved just the parameter's name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially.
The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameter.
This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

2. Effected Scope

Struts Showcase App 2.0. - Struts Showcase App 2.3.

3. Exploit Analysis

0x1: POC

http://localhost:8080/S2-XX/Login.action?skillName=%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false) #hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}

Relevant Link:

http://struts.apache.org/docs/s2-012.html

4. Principle Of Vulnerability

truts2中可以通过${express}或%{express}来引用ongl表达式,当配置一个action中有${input}或%{input}且input来自于外部输入时,给input赋值%{exp},从而导致任意代码执行
5. Patch Fix

0x1: upgrade struts2

It is strongly recommended to upgrade to Struts 2.3.14.1, which contains the corrected OGNL and XWork library.

//The OGNLUtil class was changed to deny eval expressions by default.

Relevant Link:

Copyright (c) 2015 Little5ann All rights reserved

struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. "此站点已经禁用应用程序"在sharepoint 2013中通过v2013部署app提示该错误

    该错误的原文是:the apps are disabled in this site 可以在yahoo或者bing上搜索这个错误,可以找到解决办法: msdn上也有该错误解决办法,但是如果搜索中文,目 ...

  6. SharePoint 2013 开发——开发自定义操作APP

    博客地址:http://blog.csdn.net/FoxDave 自定义操作即我们所说的Ribbon和ECB(Edit Control Block),在SharePoint 2013之前,我们可以 ...

  7. struts2 CVE-2012-0838 S2-007 Remote Code Execution && Hotfix

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  8. 关于vs生成app错误提示,提醒Execution failed for task ':transformClassesWithDexForDebug'.

    昨天将vs和android SDK更新之后生成app之后发现app生成出错,报错如下: FAILURE: Build failed with an exception. * What went wro ...

  9. 利用struts2的json返回方式来控制jquery.validate的remote框架,进行表单验证

随机推荐

  1. DirectoryBrowserMiddleware中间件如何呈现目录结构

    DirectoryBrowserMiddleware中间件如何呈现目录结构 和StaticFileMiddleware中间件一样,DirectoryBrowserMiddleware中间本质上还是定义 ...

  2. JavaScript的一些知识碎片(2)-反射-全局变量-回调

    JavaScript中的反射:编程语言中的反射原理都一样,就是通过操作metadata(描述语言的语言)来完成一些不具备反射功能的语言很难实现的功能.在静态语言中,反射是一个高大上的东西,比如在运行时 ...

  3. PAT 1067. Sort with Swap(0,*)

    1067. Sort with Swap(0,*) (25)   Given any permutation of the numbers {0, 1, 2,..., N-1}, it is easy ...

  4. Web性能优化-合并js与css,减少请求

    Web性能优化已经是老生常谈的话题了, 不过笔者也一直没放在心上,主要的原因还是项目的用户量以及页面中的js,css文件就那几个,感觉没什么优化的.人总要进步的嘛,最近在被angularjs吸引着,也 ...

  5. C# 7.0 新特性2: 本地方法

    本文参考Roslyn项目中的Issue:#259. 1. C# 7.0 新特性1: 基于Tuple的“多”返回值方法 2. C# 7.0 新特性2: 本地方法 3. C# 7.0 新特性3: 模式匹配 ...

  6. 基于DDD的.NET开发框架 - ABP工作单元(Unit of Work)

    返回ABP系列 ABP是“ASP.NET Boilerplate Project (ASP.NET样板项目)”的简称. ASP.NET Boilerplate是一个用最佳实践和流行技术开发现代WEB应 ...

  7. 与TCP/IP协议的初次见面(一)

    引言 最近LZ有了一点时间,于是便拿出TCP/IP的书本开始啃.开始的时候,啃起来枯燥无味,现在好不容易有点开窍,于是赶忙记录一下,生怕自己一转眼就给忘了.不过计算机系统原理就有点可惜了,最近一直没时 ...

  8. VMware精简系统Win系列|体积更小更稳定

    此Win系列基于VMware10 给个我自用的超精简VM10.0.3 XP重新制作体积大了一点但更稳定,压缩包166M 制作了Win 2003,压缩包171.4M Win7重新制作体积更小更稳定,压缩 ...

  9. iOS10-- snapshotViewAfterScreenUpdates 失效

    如果snapshotViewAfterScreenUpdates失效, 用这个方法替代, 不过要自己创建ImageView 替代方式: - (UIImage *)imageFromView:(UIVi ...

  10. RabbitMQ官方中文入门教程(PHP版) 第四部分:路由(Routing)

    路由(Routing) 在前面的教程中,我们实现了一个简单的日志系统.可以把日志消息广播给多个接收者. 本篇教程中我们打算新增一个功能——使得它能够只订阅消息的一个字集.例如,我们只需要把严重的错误日 ...