catalog

. Description

. Effected Scope

. Exploit Analysis

. Principle Of Vulnerability

. Patch Fix

1. Description

OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation.
OGNL evaluation was already addressed in S2-003 and S2-005 and S2-009, but, since it involved just the parameter's name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially.
The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameter.
This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

2. Effected Scope

Struts Showcase App 2.0. - Struts Showcase App 2.3.

3. Exploit Analysis

0x1: POC

http://localhost:8080/S2-XX/Login.action?skillName=%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false) #hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}

Relevant Link:

http://struts.apache.org/docs/s2-012.html

4. Principle Of Vulnerability

truts2中可以通过${express}或%{express}来引用ongl表达式,当配置一个action中有${input}或%{input}且input来自于外部输入时,给input赋值%{exp},从而导致任意代码执行
5. Patch Fix

0x1: upgrade struts2

It is strongly recommended to upgrade to Struts 2.3.14.1, which contains the corrected OGNL and XWork library.

//The OGNLUtil class was changed to deny eval expressions by default.

Relevant Link:

Copyright (c) 2015 Little5ann All rights reserved

struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution的更多相关文章

  1. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  2. struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  3. struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  4. [我的CVE][CVE-2017-15708]Apache Synapse Remote Code Execution Vulnerability

    漏洞编号:CNVD-2017-36700 漏洞编号:CVE-2017-15708 漏洞分析:https://www.javasec.cn/index.php/archives/117/ [Apache ...

  5. "此站点已经禁用应用程序"在sharepoint 2013中通过v2013部署app提示该错误

    该错误的原文是:the apps are disabled in this site 可以在yahoo或者bing上搜索这个错误,可以找到解决办法: msdn上也有该错误解决办法,但是如果搜索中文,目 ...

  6. SharePoint 2013 开发——开发自定义操作APP

    博客地址:http://blog.csdn.net/FoxDave 自定义操作即我们所说的Ribbon和ECB(Edit Control Block),在SharePoint 2013之前,我们可以 ...

  7. struts2 CVE-2012-0838 S2-007 Remote Code Execution && Hotfix

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  8. 关于vs生成app错误提示,提醒Execution failed for task ':transformClassesWithDexForDebug'.

    昨天将vs和android SDK更新之后生成app之后发现app生成出错,报错如下: FAILURE: Build failed with an exception. * What went wro ...

  9. 利用struts2的json返回方式来控制jquery.validate的remote框架,进行表单验证

随机推荐

  1. c#描述异常处理语句try、catch、finally执行时的相互关系

    try里面是执行代码,其中的代码"可能"产生异常. catch是对产生异常后的处理代码,可以抛出异常,也可以显示异常,也可以弹出某中提示,总之catch里是任何代码都行,如果你知道 ...

  2. gRpc NET Core

    NET Core下使用gRpc公开服务(SSL/TLS) 一.前言 前一阵子关于.NET的各大公众号都发表了关于gRpc的消息,而随之而来的就是一波关于.NET Core下如何使用的教程,但是在这众多 ...

  3. Linux execve函数簇用法

    exec函数簇实现的功能都是用一个新程序替换原来的程序,替换的内容包括堆栈段,代码段,进程控制器PCD,但是原进程的PID保持不变 int execl(const char *path, const ...

  4. U3D屏幕空间到世界空间变换

    using UnityEngine; using System.Collections; public class FPSCam : MonoBehaviour { Vector3 lastPos; ...

  5. Python 操作 MongoDB

    原文 这篇文章主要介绍了使用Python脚本操作MongoDB的教程,MongoDB作为非关系型数据库得到了很大的宣传力度,而市面上的教程一般都是讲解JavaScript的脚本操作,本文则是基于Pyt ...

  6. 【分布式协调器】Paxos的工程实现-Cocklebur状态转移

    集群中的主机经过选举过程由Looking状态变为了Leadering或Following状态.而这些状态之间转移的条件是什么呢?先来个直观的,上状态图. 图 4.1 Cocklebur选举过程中的状态 ...

  7. Scala集合操作

    大数据技术是数据的集合以及对数据集合的操作技术的统称,具体来说: 1.数据集合:会涉及数据的搜集.存储等,搜集会有很多技术,存储技术现在比较经典方案是使用Hadoop,不过也很多方案采用Kafka.  ...

  8. 基于FPGA的通信信号源的设计

    通信信号源设计原理 通过设计一个DDS信号源,然后将该信号作为载波信号,再对基带信号进行2ASK.2FSK.2PSK.2DPSK调制,进而产生多种通信信号. 设计框图如下: 将PN序列进行2ASK.2 ...

  9. MATLAB 中NORM运用

    格式:n=norm(A,p)功能:norm函数可计算几种不同类型的矩阵范数,根据p的不同可得到不同的范数 以下是Matlab中help norm 的解释 NORM   Matrix or vector ...

  10. date 显示或设置系统时间和日期

    显示或设置系统时间和日期 date [options] [+format] date [options] [new date] date用来显示系统的时间和日期,超级用户可以使用date来更改系统时钟 ...