asm.jar ===》 asm-3.3.jar
asm-attrs.jar ===》 asm-attrs-2.2.3.jar
cglib-2.1.jar ===》 cglib-nodep-2.2.2.jar
commons-beanutils.jar ===》 commons-beanutils-1.8.0.jar
commons-fileupload-1.1.1.jar ===》 commons-fileupload-1.3.jar
commons-io-1.3.2.jar ===》 commons-io-2.0.1.jar
commons-lang.jar ===》 commons-lang-2.4.jar
commons-logging-1.0.4.jar ===》 commons-logging-1.1.3.jar
commons-logging-1.1.jar ===》
ognl-3.0.1.jar ===》 ognl-3.0.6.jar
struts2-core-2.2.3.jar ===》 struts2-core-2.3.15.1.jar
struts2-json-plugin-2.2.3.jar ===》 struts2-json-plugin-2.3.15.1.jar
wsdl4j-1.5.1.jar ===》 wsdl4j-1.6.2.jar
wsdl4j-1.6.1.jar ===》
xwork-core-2.2.3.jar ===》 xwork-core-2.3.15.1.jar
新引入包 ===》 asm-commons-3.3.jar
新引入包 ===》 c3p0-0.9.1.2.jar
新引入包 ===》 commons-lang3-3.1.jar
新引入包 ===》 jms-1.1.jar
新引入包 ===》 struts2-convention-plugin-2.3.15.1.jar
新引入包 ===》 struts2-spring-plugin-2.3.15.1.jar
2.相關錯誤信息提示及修復
2.0設置devMode爲false
2.1ActionContextCleanUp <<< is deprecated! Please use the new filters警告
***************************************************************************
* WARNING!!! * >>> ActionContextCleanUp <<< is deprecated! Please use the new filters! * This can be a source of unpredictable problems! * Please refer to the docs for more details! * http://struts.apache.org/2.x/docs/webxml.html **************************************************************************
修改web.Xml中*.FilterDispatcher爲*.ng.filter.StrutsPrepareAndExecuteFilter
FilterDispatcher是struts2.0.x到2.1.2版本的核心過濾器.
StrutsPrepareAndExecuteFilter是自2.1.3開始就替代了FilterDispatcher的.
StrutsPrepareAndExecuteFilter是StrutsPrepareFilter和StrutsExecuteFilter的組合
註釋代碼
<filter>
<filter-name>struts-cleanup</filter-name>
<filter-class>org.apache.struts2.dispatcher.ActionContextCleanUp</filter-class>
</filter>
<filter-mapping>
<filter-name>struts-cleanup</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
<!--<init-param>
<param-name>actionPackages</param-name>
<param-value>cn.xkshow.demo.action</param-value>
</init-param>-->
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>*.shtml</url-pattern>
<!--<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher> -->
</filter-mapping><filter>
<filter-name>struts2</filter-name>
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
<!-- <init-param></init-param> -->
</filter>
<filter-mapping>
<filter-name>struts2</filter-name>
<url-pattern>*.shtml</url-pattern>
</filter-mapping>
附錄:Struts2再爆遠程代碼執行漏洞
Struts又爆遠程代碼執行漏洞!在這次的漏洞中,攻擊者可以通過操縱參數遠程執行惡意代碼。Struts 2.3.15.1之前的版本,參數action的值redirect以及redirectAction沒有正確過濾,導致ognl代碼執行。
描述
影響版本 Struts 2.0.0 - Struts 2.3.15
報告者 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
CVE編號 CVE-2013-2251漏洞證明
參數會以OGNL表達式執行
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}代碼執行
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
漏洞原理
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.