Struts2 S2-061漏洞分析与复现指南<\/h1>

漏洞概述<\/h2>
S2-061是Apache Struts2框架中的一个远程代码执行漏洞(CVE-2020-17530)，是S2-059漏洞的补丁绕过版本。该漏洞源于Struts2框架对OGNL表达式的不当处理，允许攻击者构造恶意OGNL表达式实现远程代码执行。<\/p>

漏洞原理<\/h2>

漏洞根源<\/strong>：Struts2框架在处理某些标签属性时，会对OGNL表达式进行二次解析<\/li>
补丁绕过<\/strong>：S2-059的补丁通过黑名单机制限制某些包和类的访问，但可以通过特定方式绕过<\/li>

关键点<\/strong>：利用%{...}<\/code>语法构造恶意OGNL表达式，通过二次解析触发漏洞<\/li> <\/ol> 环境搭建<\/h2> 快速搭建方法<\/h3> 使用IntelliJ IDEA的Maven archetype快速创建Struts2项目：<\/p> 选择Create from archetype<\/code><\/li> 选择Struts2相关archetype<\/li> 自动生成项目结构<\/li> <\/ol> 必要代码修改<\/h3> index.jsp修改<\/strong>：<\/p> <%@taglib prefix="s" uri="\/struts-tags" %> <% String payload = request.getParameter("payload"); request.setAttribute("payload",payload); %> <html> <body> <s:a id="%{#request.payload}">testurl<\/s:a> <s:form action="helloWorld"> <s:textfield label="What is your name?" name="name" \/> <s:textfield label="What is the date?" name="dateNow" \/> <s:submit \/> <\/s:form> <\/body> <\/html> <\/code><\/pre> IndexAction.java<\/strong>：<\/p> @Conversion<\/span>()<\/span> <\/span><\/span>public<\/span> class<\/span> IndexAction<\/span> extends<\/span> ActionSupport {<\/span> <\/span><\/span> private<\/span> String payload;<\/span> <\/span><\/span> private<\/span> Date now =<\/span> new<\/span> Date(<\/span>System.<\/span>currentTimeMillis<\/span>());<\/span> <\/span><\/span> <\/span><\/span> @TypeConversion<\/span>(<\/span>converter =<\/span> "Struts2.DateConverter"<\/span>)<\/span> <\/span><\/span> public<\/span> Date getDateNow<\/span>()<\/span> {<\/span> return<\/span> now;<\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> String getPayload<\/span>(<\/span>String payload){<\/span> <\/span><\/span> return<\/span> payload;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> void<\/span> setPayload<\/span>(<\/span>String payload){<\/span> <\/span><\/span> this<\/span>.<\/span>payload<\/span>=<\/span>payload;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> String execute<\/span>()<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> now =<\/span> new<\/span> Date(<\/span>System.<\/span>currentTimeMillis<\/span>());<\/span> <\/span><\/span> return<\/span> SUCCESS;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>漏洞分析<\/h2> 补丁分析<\/h3> Struts2在S2-059中增加了以下检测逻辑：<\/p> public<\/span> static<\/span> boolean<\/span> containsExpression<\/span>(<\/span>String expr)<\/span> {<\/span> <\/span><\/span> return<\/span> expr !=<\/span> null<\/span> &&<\/span> expr.<\/span>contains<\/span>(<\/span>"%{"<\/span>)<\/span> &&<\/span> expr.<\/span>contains<\/span>(<\/span>"}"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>当检测到%{<\/code>和}<\/code>时会返回true，阻止对表达式的嵌套解析。<\/p> 漏洞利用链<\/h3> 获取ValueStack<\/strong>：通过request全局变量获取struts.valueStack<\/li> 绕过限制<\/strong>：使用application根变量获取org.apache.tomcat.InstanceManager<\/code>到DefaultInstanceManager<\/code>类<\/li> 关键方法调用<\/strong>：利用DefaultInstanceManager.newInstance()<\/code>方法<\/li> 获取Context对象<\/strong>：通过org.apache.commons.collections.BeanMap<\/code>的setBean<\/code>和get<\/code>方法<\/li> 绕过黑名单<\/strong>：操作context对象覆盖Struts2的黑名单机制<\/li> 代码执行<\/strong>：调用黑名单中的类实现RCE<\/li> <\/ol> 利用过程中的关键点<\/h3> 获取InstanceManager<\/strong>：<\/li> <\/ol> public<\/span> Object newInstance<\/span>(<\/span>String className)<\/span> throws<\/span> IllegalAccessException,<\/span> <\/span><\/span> InvocationTargetException,<\/span> NamingException,<\/span> InstantiationException,<\/span> <\/span><\/span> ClassNotFoundException {<\/span> <\/span><\/span> Class<?><\/span> clazz =<\/span> this<\/span>.<\/span>loadClassMaybePrivileged<\/span>(<\/span>className,<\/span> this<\/span>.<\/span>classLoader<\/span>);<\/span> <\/span><\/span> return<\/span> this<\/span>.<\/span>newInstance<\/span>(<\/span>clazz.<\/span>newInstance<\/span>(),<\/span> clazz);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 避免死循环<\/strong>：直接获取context会导致root对象循环引用，需要通过Map中转<\/p> <\/li> 黑名单覆盖<\/strong>：获取并操作Struts2的黑名单类，解除安全限制<\/p> <\/li> <\/ol> 漏洞复现<\/h2> POC构造步骤<\/h3> 构造初始OGNL表达式获取ValueStack<\/li> 通过application变量获取InstanceManager<\/li> 利用BeanMap获取并操作context对象<\/li> 覆盖安全沙箱设置<\/li> 执行任意代码<\/li> <\/ol> 注意事项<\/h3> 需要正确处理context对象的获取，避免死循环导致内存溢出<\/li> 注意Struts2版本差异，不同版本可能需要调整利用方式<\/li> 测试环境建议使用Struts 2.5.26版本<\/li> <\/ol> 防御措施<\/h2> 升级到Struts2最新版本<\/li> 禁用不必要的Struts2标签<\/li> 实施严格的输入验证<\/li> 使用WAF等防护设备拦截恶意请求<\/li> <\/ol> 参考资源<\/h2> Struts2官方安全公告<\/a><\/li> S2-061漏洞分析文章<\/a><\/li> <\/ol> 总结<\/h2> S2-061漏洞展示了补丁绕过的一种典型模式，通过深入分析框架机制和补丁实现，可以发现新的攻击面。理解该漏洞有助于安全研究人员更好地评估Web框架的安全性，并为防御类似漏洞提供思路。<\/p>

Struts2 S2-061漏洞分析与复现指南<\/h1>

漏洞概述<\/h2> S2-061是Apache Struts2框架中的一个远程代码执行漏洞(CVE-2020-17530)，是S2-059漏洞的补丁绕过版本。该漏洞源于Struts2框架对OGNL表达式的不当处理，允许攻击者构造恶意OGNL表达式实现远程代码执行。<\/p>

环境搭建<\/h2>

漏洞分析<\/h2>

总结<\/h2> S2-061漏洞展示了补丁绕过的一种典型模式，通过深入分析框架机制和补丁实现，可以发现新的攻击面。理解该漏洞有助于安全研究人员更好地评估Web框架的安全性，并为防御类似漏洞提供思路。<\/p>

漏洞概述<\/h2>
S2-061是Apache Struts2框架中的一个远程代码执行漏洞(CVE-2020-17530)，是S2-059漏洞的补丁绕过版本。该漏洞源于Struts2框架对OGNL表达式的不当处理，允许攻击者构造恶意OGNL表达式实现远程代码执行。<\/p>

总结<\/h2>
S2-061漏洞展示了补丁绕过的一种典型模式，通过深入分析框架机制和补丁实现，可以发现新的攻击面。理解该漏洞有助于安全研究人员更好地评估Web框架的安全性，并为防御类似漏洞提供思路。<\/p>