Struts2 framework XSLTRESULT local file code execution vulnerability

This is a vulnerability published by no one, occasionally see the code discovery. In fact, there are not many people used in this code, and you need to meet two situations before you can do it. I guess that the big cow that Struts2 remote code is issued, and it is impossible to find such a mentally loophole. So, or if there is any reason you can’t announce, or sell it, then it is good, this time I started, hahaha!

Let’s talk about the principle:

Struts2 allows Action to have multiple return types, including XSLT types, which allows users to submit a file address and to resolve it as a xslt file, regardless of the extension.

This is the XSLTRESULT file code: Get user submission “XSLT. location “of the value of String pathFromRequest ServletActionContext.getRequest () getParameter. (” xslt.location “); path pathFromRequest; URL resource ServletActionContext.getServletContext () getResource (path);. // parse the file submitted by the user’s address is xslttemplates factory.newTemplates NEW streamsource (resource.openStream ()));

And XSLT parsing will allow Java static methods, so as long as one file is uploaded on the server, for example


XML Version "1.0" Encoding "UTF-8"?>

Hacked by kxlzx h2> h2> exp> body> html> xsl: template>

When this XSL file is parsed, OGNL will be called.

Ognl: getValue (‘@ runtime @ getRuntime (). EXEC (“CALC”)’, ”)

Causes any code.

In fact, XSLT analysis can perform any code, not just Java, PHP can also, just most people don’t pay attention, I have seen a lot of articles about XSLT execution code, of course not for safety research.

Maybe this knowledge point knows not much, causing no one to discover the significant security issues of Struts2.

The gossip, this vulnerability and OGNL have any relationship, in fact, because of normal runtime.getruntime (). EXEC () is too much trouble, OGNL is very convenient,

Struts2 inevitably comes with an OGNL package, so I follow the big bovine footsteps, and firmly execute the OGNL statement.

After the file is uploaded, you want to find a return to the XSLT, the XSLTRESULT’s role is to return the action, directly converted to XML, easy to transfer.

Usually in Ajax, use this will be more common, so you should pay special attention when you see XML returns.

Suppose an XSLT returns an action address

We can submit

Http:// From the principle, see this vulnerability requires at least two situations:

1. The website uses XSLTRESULT to return

This is not well verified. Specifically, this return is to handle “object-xml”, that is, put an object, package into XML, then throw it out.Then the specific business logic is to see the function of the website.

2, have to have upload file function

Because the files must be in the web directory, he can only load it to the web, it will not work.But it is good to do not limit the file name and extension, there is a big chance.

PS: Who helped applying for a CVE…I won’t be a bird, this is not applying, of course, you don’t care if you apply your own name, just leave a link.