This article mainly introduces the summary of Struts2 s2-016 vulnerability repair. If you need it, you can come in and discuss it with each other
Struts2 s2-016 vulnerability is a relatively significant vulnerability before, but also some historical legacy of the old system
This vulnerability affects all versions of Struts 2.0-Struts 2.3 and can directly lead to remote control of the server, resulting in data leakage
There are four ways to summarize vulnerability repair:
1. Upgrade the version
This is Apache’s official recommendation to upgrade Struts2 to a version above 2.3.15. This method only requires the replacement of a few JAR packages, as described below:
Commons – lang3-3.2. Jar freemarker – 2.3.22. Jar javassist – 3.11.0. GA. The jar
Ognl – 3.0.6. Jar struts 2 – core – 2.3.24. Jar
Struts 2 – spring – the plugin – 2.3.24. Jar xwork – core – 2.3.24. Jar
You just need to replace the older version of the JAR package in the older system with the above jar package (version may vary);
However, there are certain defects in this way. If the system is very complex, there may be version incompatibility and JAR version conflict, leading to the situation that system functions cannot be used.
2. Overwrite the JAR package
Download the image above, change the suffix to zip, and add the three extracted folders to the SRC directory of the compromised system
Then add the code to the web.xml file:
The code is as follows:
<listener
<listener~class>org.hdht.commonweb.listener.MyServletContextListener
</listener
Finally publish the project and restart the server
3, modify Struts2 source code
Find struts2-core-22.3. jar in your project, decomcompile the source code, create a new Java project in Eclipse, and import the decomcompiled source code into it
Modify the handleSpecialParameters method in org\apache\struts2\dispatcher\mapper\ defaultActionmapper. Java
Add the following code to the while loop:
The code is as follows:
if (key.endsWith(“.x”) || key.endsWith(“.y”)) { key = key.substring(0, key.length() – 2); }
Jar and servlet-api.jar
Export the new project as a JAR package and replace the original struts2-core-22.3.jar with the seven classes shown below
4. Combine methods 2 and 3 above
Again, use the struts2 source code. As in step 3, decompile the source and import it into a new project
Download the zip package in step 2, unpack the three files, and add the three folders to the org\apache\struts2\ Dispatcher \mapper package for the new project, as shown below
Then, modify the handleSpecialParameters method in org\apache\struts2\dispatcher\mapper\ defaultActionMapper. Java
Add the following code to the while loop:
The code is as follows:
if (JavaEEbugRepair.repair_s2_017(key)) {
return;
}
If ((key. The contains (” action “) | | (key. The contains (” redirect “) | |
(the key. The contains (” redirectAction: “))) {return;
}
Save to export the new project into a JAR package
Replace the seven classes in the original JAR, add the new package repair, copy the replaced JAR to the project, and replace the previous JAR package
Conclusion: The above four methods can basically deal with s2-016 vulnerabilities of all projects; ———————————————— Copyright notice: This article is originally published BY CSDN blogger “HBohan” under CC 4.0 BY-SA copyright agreement. Please attach the original source link and this statement. The original link: blog.csdn.net/HBohan/arti…