struts2漏洞利用

struts2漏洞利用

1.      概念

Apache Struts2是一个适用于Java Web应用的开发框架，在企业Web应用市场广泛被使用。

该框架由于使用广泛，被安全人员研究较多，爆出了很多高危漏洞，官网上发布了很多安全问题修复方案：http://struts.apache.org/docs/security-bulletins.html，且由于表达式灵活，修复方式也很容易被绕过。

 

以下是官网公布漏洞列表，其中标红的是可远程执行的高危漏洞:

• S2-001 — Remote code exploit on form validation error
• S2-002 — Cross site scripting (XSS) vulnerability on and tags
• S2-003 — XWork ParameterInterceptors bypass allows OGNL statement execution
• S2-004 — Directory traversal vulnerability while serving static content
• S2-005 — XWork ParameterInterceptors bypass allows remote command execution CVE-2010-1870
• S2-006 — Multiple Cross-Site Scripting (XSS) in XWork generated error pages CVE-2011-1772
• S2-007 — User input is evaluated as an OGNL expression when there's a conversion error
• S2-008 — Multiple critical vulnerabilities in Struts2
• S2-009 — ParameterInterceptor vulnerability allows remote command execution CVE-2011-3923
• S2-010 — When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes CVE-2012-4386
• S2-011 — Long request parameter names might significantly promote the effectiveness of DOS attacks CVE-2012-4387
• S2-012 — Showcase app vulnerability allows remote command execution CVE-2013-1965
• S2-013 — A vulnerability, present in the includeParams attribute of the URL and Anchor Tag, allows remote command executionCVE-2013-1966
• S2-014 — A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks  CVE-2013-2115, CVE-2013-1966
• S2-015 — A vulnerability introduced by wildcard matching mechanism or double evaluation of OGNL Expression allows remote command execution. CVE-2013-2135, CVE-2013-2134
• S2-016 — A vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution CVE-2013-2251
• S2-017 — A vulnerability introduced by manipulating parameters prefixed with "redirect:"/"redirectAction:" allows for open redirects CVE-2013-2248
• S2-018 — Broken Access Control Vulnerability in Apache Struts2 CVE-2013-4310
• S2-019 — Dynamic Method Invocation disabled by default CVE-2013-4316
• S2-020 — Upgrade Commons FileUpload to version 1.3.1 (avoids DoS attacks) and adds 'class' to exclude params in ParametersInterceptor (avoid ClassLoader manipulation) CVE-2014-0050 (DoS), CVE-2014-0094 (ClassLoader manipulation)
• S2-021 — Improves excluded params in ParametersInterceptor and CookieInterceptor to avoid ClassLoader manipulation CVE-2014-0112 CVE-2014-0113
• S2-022 — Extends excluded params in CookieInterceptor to avoid manipulation of Struts' internals CVE-2014-0116
• S2-023 — Generated value of token can be predictable CVE-2014-7809

2. 利用工具

K8战队的struts利用工具套装

 

MSF的struts漏洞module