表达式语言注入漏洞struts 2.5.13

时间:2018-05-18 19:56:44

标签: java security struts code-injection ognl

我正在使用对比度安全工具,并在我的应用程序中看到对比度报告漏洞,表示语言注入错误。

我已经对此进行了大量搜索,但没有发现任何内容,因为我的版本几乎是最新版本。

对比度是报告请求参数,命名为" abc"注入了一些东西。

以下是错误对比度报告 - 来自" abc"的表达式语言注入参数" /App/edit.action"

对比堆栈跟踪显示的内容类似于ognl jar中的方法 - 

ognl.Ognl.parseExpression(Ognl.java:110)
com.opensymphony.xwork2.ognl.OgnlUtil.compileAndExecute(OgnlUtil.java:397)
com.opensymphony.xwork2.ognl.OgnlUtil.setValue(OgnlUtil.java:310)
com.opensymphony.xwork2.ognl.OgnlValueStack.trySetValue(OgnlValueStack.java:188)
com.opensymphony.xwork2.ognl.OgnlValueStack.setValue(OgnlValueStack.java:175)
com.opensymphony.xwork2.ognl.OgnlValueStack.setParameter(OgnlValueStack.java:157)
com.opensymphony.xwork2.interceptor.ParametersInterceptor.setParameters(ParametersInterceptor.java:211)
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:129)
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
com.opensymphony.xwork2.interceptor.ParametersInterceptor.doIntercept(ParametersInterceptor.java:137)
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
com.opensymphony.xwork2.interceptor.StaticParametersInterceptor.intercept(StaticParametersInterceptor.java:201)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
org.apache.struts2.interceptor.MultiselectInterceptor.intercept(MultiselectInterceptor.java:67)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
org.apache.struts2.interceptor.DateTextFieldInterceptor.intercept(DateTextFieldInterceptor.java:133)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
org.apache.struts2.interceptor.CheckboxInterceptor.intercept(CheckboxInterceptor.java:89)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:243)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:101)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
com.opensymphony.xwork2.interceptor.ScopedModelDrivenInterceptor.intercept(ScopedModelDrivenInterceptor.java:142)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:160)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:175)
com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:99)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
org.apache.struts2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:121)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
org.apache.struts2.interceptor.ServletConfigInterceptor.intercept(ServletConfigInterceptor.java:167)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
com.opensymphony.xwork2.interceptor.AliasInterceptor.intercept(AliasInterceptor.java:203)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
com.opensymphony.xwork2.interceptor.ExceptionMappingInterceptor.intercept(ExceptionMappingInterceptor.java:196)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
com.qd.bw.patient.common.web.DeviceDetectionInterceptor.intercept(DeviceDetectionInterceptor.java:68)
com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:249)
org.apache.struts2.factory.StrutsActionProxy.execute(StrutsActionProxy.java:48)
org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:574)
org.apache.struts2.dispatcher.ExecuteOperations.executeAction(ExecuteOperations.java:79)
org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:141)
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
org.owasp.stinger.StingerFilter.doStinger(StingerFilter.java:147)
org.owasp.stinger.StingerFilter.doFilter(StingerFilter.java:93)
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:88)
weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:78)
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3683)
weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3649)
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:326)
weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197)
weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203)
weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71)
weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2433)
weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2281)
weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2259)
weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1686)
weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1646)
weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:270)
weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:348)
weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:333)
weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:54)
weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:640)`enter code here`
weblogic.work.ExecuteThread.execute(ExecuteThread.java:406)
weblogic.work.ExecuteThread.run(ExecuteThread.java:346)

1 个答案:

答案 0 :(得分:3)

此处的对比安全性。我们喜欢在StackOverflow上看到问题!

听起来好像Struts 2将HTTP请求参数提供给OGNL评估程序。未经任何验证或编码,攻击者很可能会使用此参数在服务器上执行任意代码。

这可能是我们的产品,发现了已经成为众所周知的漏洞(例如CVE-2017-5638)。您可以粘贴更多详细信息,我们可以在此处提供帮助,也可以通过发送电子邮件至support@contrastsecurity.com来打开故障单。

相关问题
最新问题