{"id":487,"date":"2013-05-21T18:38:23","date_gmt":"2013-05-21T10:38:23","guid":{"rendered":"http:\/\/inbreak.net\/?p=487"},"modified":"2013-05-21T18:43:46","modified_gmt":"2013-05-21T10:43:46","slug":"struts2%e8%bf%9c%e7%a8%8b%e4%bb%a3%e7%a0%81%e6%89%a7%e8%a1%8c%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90%ef%bc%88s2-013%ef%bc%89","status":"publish","type":"post","link":"https:\/\/www.inbreak.net\/archives\/487.html","title":{"rendered":"Struts2\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u5206\u6790\uff08S2-013\uff09"},"content":{"rendered":"

by \u7a7a\u865a\u6d6a\u5b50\u5fc3 http:\/\/inbreak.net \u5fae\u535a\uff1ahttp:\/\/t.qq.com\/javasecurity
\n\u6458\u8981<\/strong>
\nApache\u5b98\u65b9\u7684struts2\u4ea7\u54c1\uff0c\u6700\u8fd1\u51fa\u4e86\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u7f16\u53f7\u201cS2-013\u201d\uff0c\u76ee\u524d\u662f0DAY\uff0c\u5b98\u65b9\u6ca1\u6709\u4fee\u8865\u65b9\u6848\u51fa\u73b0\u3002
\nhttp:\/\/struts.apache.org\/development\/2.x\/docs\/security-bulletins.html — \uff08\u516c\u544a\uff09
\n\u5b98\u65b9\u5b89\u5168\u516c\u544a\u7ed9\u51fa\u4e86\u7f16\u53f7\u548c\u7b80\u8981\u4ecb\u7ecd\uff0c\u201cA vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command execution\u201d\u3002
\n\u4f46\u662f\u5e76\u6ca1\u6709\u8bf4\u539f\u7406\uff0c\u4e5f\u6ca1\u6709\u53d1\u5e03\u4efb\u4f55\u8865\u4e01\u3002
\n\u5206\u6790\uff1a<\/strong>
\n\u4e8b\u5b9e\u4e0a\uff0c\u8fd9\u6b21struts2\u5b98\u65b9\u4e00\u5171\u53d1\u4e86\u4e24\u4e2a\u6f0f\u6d1e\uff0c\u8fd8\u6709\u4e2a\u53ebs2-012\uff0c\u4f46\u662f\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u770b\u9898\u76ee\uff0c\u5e94\u8be5\u662f\u6211\u4e4b\u524d\u5728\u300aXcon2012 \u653b\u51fbJAVA WEB\u300b\u65f6\u7684\u5df2\u7ecf\u7206\u51fa\u6765\u4e86\uff0c\u6240\u4ee5\u672c\u6587\u53ea\u8bf4\u53e6\u4e00\u4e2a\u3002
\nstruts2\u5b98\u65b9\u7684\u5f00\u53d1\u50bb\u4e4e\u4e4e\u7684\uff0c\u6bd4\u5982\u8fd9\u4e2a\u6f0f\u6d1e\uff0c\u8981\u4e48\u5b98\u65b9\u5c31\u4e0d\u8981\u53d1\u51fa\u6765\uff0c\u65e2\u7136\u53d1\u51fa\u6765\u4e86\uff0c\u5c31\u5e94\u8be5\u53d1\u8865\u4e01\uff0c\u4f46\u662f\u5b98\u65b9\u4ec5\u4ec5\u53d1\u4e86\u8fd9\u6bb5\u8bdd\uff0c\u5bf9\u4e8e\u8be6\u7ec6\u5185\u5bb9\uff0c\u666e\u901a\u7528\u6237\u4e0d\u5f00\u653e\u8bbf\u95ee\u3002
\n\"\"
\n\u4ece\u8fd9\u6bb5\u8bdd\u53ef\u4ee5\u5927\u81f4\u603b\u7ed3\u4e00\u4e0b\u51e0\u70b9\uff1a
\n1\u3001\u672a\u4fee\u8865\u7684\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e
\n2\u3001includeParams\u53c2\u6570\u5728URLTAG\u4e2d\u51fa\u73b0\u4e86\u95ee\u9898\u3002
\n\u4ec5\u6839\u636e\u8fd9\u4e24\u70b9\uff0c\u719f\u6089struts2\u8fd0\u884c\u673a\u5236\u548c\u4e4b\u524d\u6f0f\u6d1e\u539f\u7406\u7684\u4eba\uff0c\u90fd\u53ef\u4ee5\u8f7b\u6613\u5206\u6790\u51fa\u5177\u4f53\u5229\u7528POC\u3002
\n\u6f0f\u6d1e\u89e6\u53d1\uff1a<\/strong>
\n\u7531\u4e8e\u5b98\u65b9\u6ca1\u6709\u53d1\u8865\u4e01\uff0c\u6240\u4ee5\u6700\u65b0\u7248\u672c\u7684struts2\u8fd8\u662f\u6709\u6f0f\u6d1e\u7684\uff0c\u53ef\u4ee5\u4e0b\u8f7d\u6700\u65b0\uff1aApache Struts 2.3.14 GA\u7684\u793a\u4f8b\u5e94\u7528\u3002
\n\u7ecf\u8fc7\u7b80\u5355\u6d4b\u8bd5\uff0c\u5c31\u770b\u5230\u4e86\u60f3\u8981\u7684\u7ed3\u679c\u3002
\n\u6839\u636e\u5b98\u65b9\u7ed9\u7684\u4fe1\u606f\uff0c\u95ee\u9898\u51fa\u5728a\u6807\u7b7e\uff0c\u6240\u4ee5\u5199\u4e2ajsp\u9875\u9762\uff0c\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n

\r\nClick here.<\/s:a>\r\n<\/pre>\n
\u8fd9\u4e2a\u662fstruts2\u6807\u7b7e\u5e93\u7684a\u6807\u7b7e\uff0c\u8be5\u6807\u7b7e\u4f1a\u5728\u9875\u9762\u4e0a\u663e\u793a\u5f53\u524dURL\uff0c\u5f53includeParams=all\u65f6\uff0c\u5c31\u4f1a\u663e\u793a\u5177\u4f53\u53c2\u6570\u5185\u5bb9\u3002
\n\u552f\u4e00\u9700\u8981\u89e3\u7684\u8ff7\uff0c\u5c31\u662f\u5982\u4f55\u8ba9\u53c2\u6570\u5185\u5bb9\u4f5c\u4e3aOGNL\u8868\u793a\u8bd5\u6267\u884c\uff0c\u4f46\u662f\u8fd9\u4e2a\u8ff7\u672a\u514d\u592a\u597d\u731c\u4e86\uff0c\u6211\u968f\u624b\u6d4b\u8bd5\u5c31\u51fa\u7ed3\u679c\u3002
\n\u8bbf\u95eeurl\uff1a
\nhttp:\/\/localhost:8080\/blank\/error.jsp?aaa=${struts2\u7684\u5e38\u7528POC\uff0c\u4f60\u61c2\u5f97}
\n\u5c31\u53ef\u4ee5\u76f4\u63a5\u5f39\u8ba1\u7b97\u5668\uff0cPOC\u4ee3\u7801\u5927\u5bb6\u90fd\u6709\u7684\uff0c\u6211\u53ea\u622a\u4e2a\u56fe\uff1a
\n\"\"
\n\u51e0\u4e4e\u6ca1\u6709\u4ec0\u4e48\u5206\u6790\u8fc7\u7a0b\uff0c\u5c31\u62ff\u5230\u4e86POC\uff0c\u6700\u7ec8\u4e3a\u4e86\u7814\u7a76\u4fee\u8865\u65b9\u6848\uff0c\u53ea\u597d\u88ab\u8feb\u7814\u7a76\u4e86\u6f0f\u6d1e\u539f\u7406\u3002
\n\u6f0f\u6d1e\u539f\u7406\uff1a<\/strong>
\nStruts2\u6807\u7b7e\u5e93\u4e2d\u7684url\u6807\u7b7e\u548ca\u6807\u7b7e\u7684includeParams\u8fd9\u4e2a\u5c5e\u6027\uff0c\u4ee3\u8868\u663e\u793a\u8bf7\u6c42\u8bbf\u95ee\u53c2\u6570\u7684\u542b\u4e49\uff0c\u4e00\u65e6\u5b83\u7684\u503c\u88ab\u8d4b\u4e88ALL\u6216\u8005GET\u6216\u8005POST\uff0c\u5c31\u4f1a\u663e\u793a\u5177\u4f53\u8bf7\u6c42\u53c2\u6570\u5185\u5bb9\u3002\u6309\u7167\u6b63\u5e38\u7684\u9700\u6c42\uff0c\u628a\u53c2\u6570urlEncode\u4e00\u4e0b\u4e5f\u5c31\u591f\u4e86\uff0c \u95ee\u9898\u5728\u4e8e\uff0cstruts\u7adf\u7136\u591a\u505a\u4e86\u4e00\u6b65\uff0c\u8fd9\u4e2b\u628a\u53c2\u6570\u505a\u4e86OGNL\u89e3\u6790\uff01
\n\u4ee3\u7801\uff1a<\/p>\n
\r\n       package org.apache.struts2.views.uti.DefaultUrlHelper\u8fd9\u4e2aclass\u7684parseQueryString\u65b9\u6cd5\u3002\r\n           public Map parseQueryString(String queryString, boolean forceValueArray) {\r\n        Map queryParams = new LinkedHashMap();\r\n        if (queryString != null) {\r\n            ......\r\n                    if (paramName != null) {\r\n                        paramName = translateAndDecode(paramName);\r\n                        String translatedParamValue = translateAndDecode(paramValue);\r\n              ......\r\n       translateAndDecode\u4f1a\u8c03\u7528\r\n           private String translateVariable(String input) {\r\n        ValueStack valueStack = ServletActionContext.getContext().getValueStack();\r\n        return TextParseUtil.translateVariables(input, valueStack);\r\n           }\r\n<\/pre>\n
\u6700\u7ec8TextParseUtil.translateVariables\u4f1a\u76f4\u63a5\u8c03\u7528OGNL\u89e3\u6790\u6267\u884c\u3002
\n\u6f0f\u6d1e\u4fee\u8865\uff1a<\/strong>
\n\u7b49\u5b98\u65b9\u5427\uff0c\u6211\u53cd\u6b63\u4e0d\u6025\u7684\u3002\u6216\u8005\u6709\u597d\u4eba\u8f6c\u53d1\u65f6\uff0c\u8bf7\u987a\u4fbf\u5199\u4e0a\u65b9\u6848\u3002
\nby \u7a7a\u865a\u6d6a\u5b50\u5fc3 http:\/\/inbreak.net \u5fae\u535a\uff1ahttp:\/\/t.qq.com\/javasecurity<\/p>\n","protected":false},"excerpt":{"rendered":"
Apache\u5b98\u65b9\u7684struts2\u4ea7\u54c1\uff0c\u6700\u8fd1\u51fa\u4e86\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u7f16\u53f7\u201cS2-013\u201d\uff0c\u76ee\u524d\u662f0DAY\uff0c\u5b98\u65b9\u6ca1\u6709\u4fee\u8865\u65b9\u6848\u51fa\u73b0\u3002<\/p>\n
\u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[84,86,5],"tags":[],"views":236238,"_links":{"self":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/487"}],"collection":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/comments?post=487"}],"version-history":[{"count":10,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/487\/revisions"}],"predecessor-version":[{"id":497,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/posts\/487\/revisions\/497"}],"wp:attachment":[{"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/media?parent=487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/categories?post=487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inbreak.net\/wp-json\/wp\/v2\/tags?post=487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}