Struts2 漏洞分析系列 - S2-007/類型轉換到RCE
VSole2021-12-08 16:58:24
漏洞概述
S2-007的漏洞原理是在處理類型轉換的錯誤時會存入錯誤到內存中,在后續調用流程中觸發OGNL表達式注入。
影響版本:2.0.0 – 2.2.3
復現版本:2.2.3
官方issue地址:https://cwiki.apache.org/confluence/display/WW/S2-007
搭建環境
由于本漏洞發生在Bean中某個Property類型轉換時,因此需要我們編寫一個Action類:
import com.opensymphony.xwork2.ActionSupport;
public class LoginAction extends ActionSupport { private String username; private String password; private int age;
public String getUsername() { return username; }
public String getPassword() { return password; }
public int getAge() { return age; }
public void setUsername(String username) { this.username = username; }
public void setPassword(String password) { this.password = password; }
public void setAge(int age) { this.age = age; }
public String execute() throws Exception{ if (this.username == null || this.password == null) { return "failed"; }
if (this.username.equals("admin") && this.password.equals("admin")) { return "success"; }
return "failed"; }}
接著分別編寫兩個JSP文件,index.jsp用于模擬用戶登陸后的界面,login.jsp用戶模擬登陸界面。
index.jsp:
<%@ page contentType="text/html;charset=UTF-8" language="java" %><html> <head> <title>Admin Consoletitle> head> <body> Hello admin body>html>
login.jsp:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%><%@ taglib prefix="s" uri="/struts-tags" %><html><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>S2-007title>head><body><h2>S2-007 Demoh2><p>link: <a >https://struts.apache.org/docs/s2-007.htmla>p> <s:form action="login"> <s:textfield name="username" label="username" /> <s:textfield name="password" label="password" /> <s:textfield name="age" label="age" /> <s:submit>s:submit>s:form>body>html>
接著編寫struts.xml用于定義路由以及成功、失敗、錯誤時的渲染頁面:
"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN" "http://struts.apache.org/dtds/struts-2.0.dtd"> <struts> <package name="st2-demo" extends="struts-default"> <action name="login" class="LoginAction"> <result name="success">index.jspresult> <result name="failed">login.jspresult> <result name="input">login.jspresult> action> package>struts>
隨后配置一下WEB服務器,部署后通過'+(#application)+'這個Payload測試是否回顯相關信息:
漏洞分析
2.0 上報錯誤
之前介紹過Struts2存在著許多攔截器用于在請求真正執行到execute方法前的封裝,其中就有一個ParametersInterceptor,在這里會將請求中的參數賦到當前請求對應的Bean上,請求中的參數一定是String類型的,但是Bean中的數據類型并不一定是String類型的,這個時候會自動進行一個類型轉換,當轉換發生錯誤時,會將錯誤進行記錄。
比如aaa必然不可能被轉為int類型,但如果是123(String)還是可以被轉為int類型的,具體轉換的邏輯我就不在這展開記錄了,本文的重點是錯誤記錄部分。
相關代碼:
com.opensymphony.xwork2.conversion.impl.XWorkConverter#handleConversionExceptionprotected void handleConversionException(Map<String, Object> context, String property, Object value, Object object) { if (context != null && Boolean.TRUE.equals(context.get("report.conversion.errors"))) { String realProperty = property; String fullName = (String)context.get("conversion.property.fullName"); if (fullName != null) { realProperty = fullName; }
Map<String, Object> conversionErrors = (Map)context.get("com.opensymphony.xwork2.ActionContext.conversionErrors"); if (conversionErrors == null) { conversionErrors = new HashMap(); context.put("com.opensymphony.xwork2.ActionContext.conversionErrors", conversionErrors); }
((Map)conversionErrors).put(realProperty, value); }
}
在類型轉換過程中觸發的異常會通過handleConversionException方法進行搜集,但前提是report.conversion.errors這個鍵必須為true,默認情況下這個鍵是為true的。
隨后會獲取轉換出錯的property名稱以及com.opensymphony.xwork2.ActionContext.conversionErrors這個Map并對其進行初始化,最終將property名稱以及其對應的值放入這個Map中。
相關調用棧:
handleConversionException:438, XWorkConverter (com.opensymphony.xwork2.conversion.impl)convertValue:338, XWorkConverter (com.opensymphony.xwork2.conversion.impl)convertValue:39, OgnlTypeConverterWrapper (com.opensymphony.xwork2.ognl)getConvertedType:1060, OgnlRuntime (ognl)getConvertedTypes:1077, OgnlRuntime (ognl)getConvertedMethodAndArgs:1103, OgnlRuntime (ognl)getAppropriateMethod:1189, OgnlRuntime (ognl)callAppropriateMethod:1203, OgnlRuntime (ognl)setMethodValue:1474, OgnlRuntime (ognl)setPossibleProperty:85, ObjectPropertyAccessor (ognl)setProperty:162, ObjectPropertyAccessor (ognl)setProperty:27, ObjectAccessor (com.opensymphony.xwork2.ognl.accessor)setProperty:2245, OgnlRuntime (ognl)setProperty:77, CompoundRootAccessor (com.opensymphony.xwork2.ognl.accessor)setProperty:2245, OgnlRuntime (ognl)setValueBody:127, ASTProperty (ognl)evaluateSetValueBody:220, SimpleNode (ognl)setValue:301, SimpleNode (ognl)setValue:737, Ognl (ognl)setValue:209, OgnlUtil (com.opensymphony.xwork2.ognl)trySetValue:173, OgnlValueStack (com.opensymphony.xwork2.ognl)setValue:160, OgnlValueStack (com.opensymphony.xwork2.ognl)setValue:151, OgnlValueStack (com.opensymphony.xwork2.ognl)setParameters:288, ParametersInterceptor (com.opensymphony.xwork2.interceptor)doIntercept:199, ParametersInterceptor (com.opensymphony.xwork2.interceptor)intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)doIntercept:207, ParametersInterceptor (com.opensymphony.xwork2.interceptor)intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:190, StaticParametersInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:75, MultiselectInterceptor (org.apache.struts2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:94, CheckboxInterceptor (org.apache.struts2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:243, FileUploadInterceptor (org.apache.struts2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:100, ModelDrivenInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:141, ScopedModelDrivenInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:270, DebuggingInterceptor (org.apache.struts2.interceptor.debugging)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:145, ChainingInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)doIntercept:171, PrepareInterceptor (com.opensymphony.xwork2.interceptor)intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:176, I18nInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:164, ServletConfigInterceptor (org.apache.struts2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:190, AliasInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:187, ExceptionMappingInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)execute:52, StrutsActionProxy (org.apache.struts2.impl)serviceAction:498, Dispatcher (org.apache.struts2.dispatcher)doFilter:434, FilterDispatcher (org.apache.struts2.dispatcher)internalDoFilter:239, ApplicationFilterChain (org.apache.catalina.core)doFilter:206, ApplicationFilterChain (org.apache.catalina.core)invoke:219, StandardWrapperValve (org.apache.catalina.core)invoke:106, StandardContextValve (org.apache.catalina.core)invoke:501, AuthenticatorBase (org.apache.catalina.authenticator)invoke:142, StandardHostValve (org.apache.catalina.core)invoke:79, ErrorReportValve (org.apache.catalina.valves)invoke:610, AbstractAccessLogValve (org.apache.catalina.valves)invoke:88, StandardEngineValve (org.apache.catalina.core)service:516, CoyoteAdapter (org.apache.catalina.connector)process:1086, AbstractHttp11Processor (org.apache.coyote.http11)process:659, AbstractProtocol$AbstractConnectionHandler (org.apache.coyote)process:223, Http11NioProtocol$Http11ConnectionHandler (org.apache.coyote.http11)doRun:1558, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)run:1515, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)runWorker:1149, ThreadPoolExecutor (java.util.concurrent)run:624, ThreadPoolExecutor$Worker (java.util.concurrent)run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)run:748, Thread (java.lang)
2.1 錯誤處理
前面說到,在ParametersInterceptor進行類型轉換時產生的錯誤會被存入com.opensymphony.xwork2.ActionContext.conversionErrors中。
在后續流程中,會使用ConversionErrorInterceptor對前面產生的錯誤進行處理:
com.opensymphony.xwork2.interceptor.ConversionErrorInterceptor#interceptpublic String intercept(ActionInvocation invocation) throws Exception { ActionContext invocationContext = invocation.getInvocationContext(); Map<String, Object> conversionErrors = invocationContext.getConversionErrors(); ValueStack stack = invocationContext.getValueStack(); HashMap<Object, Object> fakie = null; Iterator i$ = conversionErrors.entrySet().iterator();
while(i$.hasNext()) { Entry<String, Object> entry = (Entry)i$.next(); String propertyName = (String)entry.getKey(); Object value = entry.getValue(); if (this.shouldAddError(propertyName, value)) { String message = XWorkConverter.getConversionErrorMessage(propertyName, stack); Object action = invocation.getAction(); if (action instanceof ValidationAware) { ValidationAware va = (ValidationAware)action; va.addFieldError(propertyName, message); }
if (fakie == null) { fakie = new HashMap(); }
fakie.put(propertyName, this.getOverrideExpr(invocation, value)); } }
if (fakie != null) { stack.getContext().put("original.property.override", fakie); invocation.addPreResultListener(new PreResultListener() { public void beforeResult(ActionInvocation invocation, String resultCode) { Map<Object, Object> fakie = (Map)invocation.getInvocationContext().get("original.property.override"); if (fakie != null) { invocation.getStack().setExprOverrides(fakie); }
} }); }
return invocation.invoke(); }
這里首先通過getConversionErrors獲取到所有的錯誤,隨后通過while循環對錯誤進行處理,首先獲取其key&value,接著通過shouldAddError判斷value或propertyName是否為空,如果不為空則繼續進入if的代碼塊中。
在if的代碼塊中會獲取到這個錯誤對應的message以及當前請求對應的Action,并在Action實現了ValidationAware類的情況下調用其addFielderror方法,但是這都不是重點,重點在下面的fakie.put。
注意看,這里調用了getOverrideExpr方法對value進行處理:
protected Object getOverrideExpr(ActionInvocation invocation, Object value) { ValueStack stack = invocation.getStack();
String var4; try { stack.push(value); var4 = "'" + stack.findValue("top", String.class) + "'"; } finally { stack.pop(); }
return var4; }
這里首先將value壓入棧中,隨后通過top語法取出value并在左右兩側進行一個'的拼接,最后通過pop方法取出前面壓入棧中的value,并且將上面拼接完畢的value返回,此時我們的Payload由'+(#application)+'轉為了''+(#application)+'',可以發現左右兩側的單引號被我們人為閉合了,這里為后面的漏洞利用埋下了一個伏筆。
在value被拼接完后會被放入fakie中,最后在invocation中添加了一個PreResultListener,這里取出了前面的fakie,并且會調用setExprOverrides對其進行處理:
public void setExprOverrides(Map<Object, Object> overrides) { if (this.overrides == null) { this.overrides = overrides; } else { this.overrides.putAll(overrides); }
}
setExprOverrides會將傳入的overrides賦到this.overrides這個屬性上,最后會在模板渲染時,通過lookupForOverrides方法從this.overrides中取出某個鍵對應的值。
private String lookupForOverrides(String expr) { if (this.overrides != null && this.overrides.containsKey(expr)) { expr = (String)this.overrides.get(expr); }
return expr; }
最終會調用getValue方法處理取出來的值,getValue的過程中會觸發OGNL表達式解析,這個在S2-001中有過相關介紹,這里就不重復記錄了。
完整調用棧:
tryFindValue:331, OgnlValueStack (com.opensymphony.xwork2.ognl)tryFindValueWhenExpressionIsNotNull:307, OgnlValueStack (com.opensymphony.xwork2.ognl)findValue:293, OgnlValueStack (com.opensymphony.xwork2.ognl)findValue:350, OgnlValueStack (com.opensymphony.xwork2.ognl)translateVariables:196, TextParseUtil (com.opensymphony.xwork2.util)translateVariables:115, TextParseUtil (com.opensymphony.xwork2.util)translateVariables:88, TextParseUtil (com.opensymphony.xwork2.util)findValue:378, Component (org.apache.struts2.components)evaluateParams:769, UIBean (org.apache.struts2.components)end:510, UIBean (org.apache.struts2.components)doEndTag:42, ComponentTagSupport (org.apache.struts2.views.jsp)_jspx_meth_s_005ftextfield_005f2:18, login_jsp (org.apache.jsp)_jspx_meth_s_005fform_005f0:18, login_jsp (org.apache.jsp)_jspService:14, login_jsp (org.apache.jsp)service:70, HttpJspBase (org.apache.jasper.runtime)service:725, HttpServlet (javax.servlet.http)service:431, JspServletWrapper (org.apache.jasper.servlet)serviceJspFile:396, JspServlet (org.apache.jasper.servlet)service:340, JspServlet (org.apache.jasper.servlet)service:725, HttpServlet (javax.servlet.http)internalDoFilter:291, ApplicationFilterChain (org.apache.catalina.core)doFilter:206, ApplicationFilterChain (org.apache.catalina.core)doFilter:52, WsFilter (org.apache.tomcat.websocket.server)internalDoFilter:239, ApplicationFilterChain (org.apache.catalina.core)doFilter:206, ApplicationFilterChain (org.apache.catalina.core)invoke:721, ApplicationDispatcher (org.apache.catalina.core)processRequest:466, ApplicationDispatcher (org.apache.catalina.core)doForward:391, ApplicationDispatcher (org.apache.catalina.core)forward:318, ApplicationDispatcher (org.apache.catalina.core)doExecute:157, ServletDispatcherResult (org.apache.struts2.dispatcher)execute:186, StrutsResultSupport (org.apache.struts2.dispatcher)executeResult:373, DefaultActionInvocation (com.opensymphony.xwork2)invoke:277, DefaultActionInvocation (com.opensymphony.xwork2)doIntercept:263, ValidationInterceptor (com.opensymphony.xwork2.validator)doIntercept:68, AnnotationValidationInterceptor (org.apache.struts2.interceptor.validation)intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:133, ConversionErrorInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)doIntercept:207, ParametersInterceptor (com.opensymphony.xwork2.interceptor)intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)doIntercept:207, ParametersInterceptor (com.opensymphony.xwork2.interceptor)intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:190, StaticParametersInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:75, MultiselectInterceptor (org.apache.struts2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:94, CheckboxInterceptor (org.apache.struts2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:243, FileUploadInterceptor (org.apache.struts2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:100, ModelDrivenInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:141, ScopedModelDrivenInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:270, DebuggingInterceptor (org.apache.struts2.interceptor.debugging)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:145, ChainingInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)doIntercept:171, PrepareInterceptor (com.opensymphony.xwork2.interceptor)intercept:98, MethodFilterInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:176, I18nInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:164, ServletConfigInterceptor (org.apache.struts2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:190, AliasInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)intercept:187, ExceptionMappingInterceptor (com.opensymphony.xwork2.interceptor)invoke:248, DefaultActionInvocation (com.opensymphony.xwork2)execute:52, StrutsActionProxy (org.apache.struts2.impl)serviceAction:498, Dispatcher (org.apache.struts2.dispatcher)doFilter:434, FilterDispatcher (org.apache.struts2.dispatcher)internalDoFilter:239, ApplicationFilterChain (org.apache.catalina.core)doFilter:206, ApplicationFilterChain (org.apache.catalina.core)invoke:219, StandardWrapperValve (org.apache.catalina.core)invoke:106, StandardContextValve (org.apache.catalina.core)invoke:501, AuthenticatorBase (org.apache.catalina.authenticator)invoke:142, StandardHostValve (org.apache.catalina.core)invoke:79, ErrorReportValve (org.apache.catalina.valves)invoke:610, AbstractAccessLogValve (org.apache.catalina.valves)invoke:88, StandardEngineValve (org.apache.catalina.core)service:516, CoyoteAdapter (org.apache.catalina.connector)process:1086, AbstractHttp11Processor (org.apache.coyote.http11)process:659, AbstractProtocol$AbstractConnectionHandler (org.apache.coyote)process:223, Http11NioProtocol$Http11ConnectionHandler (org.apache.coyote.http11)doRun:1558, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)run:1515, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)runWorker:1149, ThreadPoolExecutor (java.util.concurrent)run:624, ThreadPoolExecutor$Worker (java.util.concurrent)run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)run:748, Thread (java.lang)
分析到這里,其實可以發現一個問題,首先網上流傳的Payload,也就是’+(#application)+’,這里可以換種容易理解的寫法,即' + #{application} + ',這樣也許大家會更容易分清楚其中OGNL表達式的部分。
修復方案
S2-007的修復方式也是十分的簡單粗暴,廢話不多說,直接看DIFF:
可以發現,修復方式十分粗暴,就是通過StringEscapeUtils.escapeJava對其進行了一個轉義,并且將原先左右兩側的單引號換為了雙引號,此時我們則沒有辦法逃逸這左右兩側的引號了,因為"會被轉義為\"。
一個小問題
在最開始的時候寫了,我測試的時候發現某些低版本用不了,這是因為在某些低版本中把XWorkConverter這個類給去掉了,因此沒有上報錯誤的這么一個流程了,自然也就無法產生后續錯誤處理時的漏洞。所以如果想穩定復現,最好還是使用2.2.3版本進行復現。
吐槽
在分析這個漏洞時自然是參考了網上的一些文章,比如:
- https://github.com/xhycccc/Struts2-Vuln-Demo/tree/master/s2-007
- https://xz.aliyun.com/t/2684
其中Github中的參考鏈接是第二個鏈接,然而實際上第二篇文章的漏洞分析部分有著些許問題,比如這個漏洞壓根就不需要編寫什么validate.xml,并且實際上觸發OGNL表達式的也不是invoke這里,而是后續的調用中。
但這樣錯誤的文章,也還是被抄來抄去的,這里只作吐槽,希望大家復現漏洞時能夠在真正了解漏洞之后再去COPY,否則很容易被沒復現過這個漏洞的人誤解。
VSole
網絡安全專家