asm.jar ===》 asm-3.3.jar
asm-attrs.jar ===》 asm-attrs-2.2.3.jar
cglib-2.1.jar ===》 cglib-nodep-2.2.2.jar
commons-beanutils.jar ===》 commons-beanutils-1.8.0.jar
commons-fileupload-1.1.1.jar ===》 commons-fileupload-1.3.jar
commons-io-1.3.2.jar ===》 commons-io-2.0.1.jar
commons-lang.jar ===》 commons-lang-2.4.jar
commons-logging-1.0.4.jar ===》 commons-logging-1.1.3.jar
commons-logging-1.1.jar ===》
ognl-3.0.1.jar ===》 ognl-3.0.6.jar
struts2-core-2.2.3.jar ===》 struts2-core-2.3.15.1.jar
struts2-json-plugin-2.2.3.jar ===》 struts2-json-plugin-2.3.15.1.jar
wsdl4j-1.5.1.jar ===》 wsdl4j-1.6.2.jar
wsdl4j-1.6.1.jar ===》
xwork-core-2.2.3.jar ===》 xwork-core-2.3.15.1.jar
新引入包 ===》 asm-commons-3.3.jar
新引入包 ===》 c3p0-0.9.1.2.jar
新引入包 ===》 commons-lang3-3.1.jar
新引入包 ===》 jms-1.1.jar
新引入包 ===》 struts2-convention-plugin-2.3.15.1.jar
新引入包 ===》 struts2-spring-plugin-2.3.15.1.jar
2.相关错误信息提示及修复
2.0设置devMode为false
2.1ActionContextCleanUp <<< is deprecated! Please use the new filters警告
***************************************************************************
* WARNING!!! * >>> ActionContextCleanUp <<< is deprecated! Please use the new filters! * This can be a source of unpredictable problems! * Please refer to the docs for more details! * http://struts.apache.org/2.x/docs/webxml.html **************************************************************************
修改web.Xml中*.FilterDispatcher为*.ng.filter.StrutsPrepareAndExecuteFilterFilterDispatcher是struts2.0.x到2.1.2版本的核心过滤器. StrutsPrepareAndExecuteFilter是自2.1.3开始就替代了FilterDispatcher的. StrutsPrepareAndExecuteFilter是StrutsPrepareFilter和StrutsExecuteFilter的组合
注释代码
<filter>
<filter-name>struts-cleanup</filter-name>
<filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
</filter>
<filter-mapping>
<filter-name>struts-cleanup</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
<!--<init-param>
<param-name>actionPackages</param-name>
<param-value>cn.xkshow.demo.action</param-value>
</init-param>-->
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>*.shtml</url-pattern>
<!--<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher> -->
</filter-mapping>
替换注释代码为:
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
<!-- <init-param></init-param> -->
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>*.shtml</url-pattern>
</filter-mapping>
附录:Struts2再爆远程代码执行漏洞
Struts又爆远程代码执行漏洞!在这次的漏洞中,攻击者可以通过操纵参数远程执行恶意代码。Struts 2.3.15.1之前的版本,参数action的值redirect以及redirectAction没有正确过滤,导致ognl代码执行。
描述
影响版本 Struts 2.0.0 - Struts 2.3.15
报告者 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
CVE编号 CVE-2013-2251
漏洞证明
参数会以OGNL表达式执行
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
代码执行
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
漏洞原理
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.