Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Struts2 vulnerabilities and Struts Scan tools

2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Apache Struts 2 Vulnerability Background 1. Vulnerability Details

On March 6, 2017, Apache Struts 2 was exposed to a remote command execution vulnerability. Under the condition of file upload function based on Jakarta plug-in, malicious users can construct malicious code by modifying the Content-Type value in HTTP request header, execute system commands on the server, completely control the server, and finally achieve the purpose of mining, external attack/attack, data theft extortion, tampering with spinach station, etc. The components required for exploitation are enabled by default and the risk level is high.

2. Vulnerability Number CVE-2017-5638CNNVD-201703-1523. Affected Struts2 Versions Struts 2.3.5 - Struts 2.3.31Struts 2.5 - Struts 2.5.14. Solution

(1) Temporary solution: delete commons-fileupload-x.jar file (which will make upload function unavailable).

(2) Root solution: Upgrade to Apache Struts 2.3.32 or Apache Struts 2.5.10.1 to eliminate vulnerability impact. When version changes are involved, data backup should be done before upgrading.

Patch address:

Struts 2.3.32: https://github.com/apache/struts/releases/tag/STRUTS_2_3_32

Struts 2.5.10.1: https://github.com/apache/struts/releases/tag/STRUTS_2_5_10_1

5. self-detection method

Looking at the struts2-core-x. x.jar file in the web directory/WEB-INF/lib/, the vulnerability exists if x represents a version number between 2.3.5 and 2.3.31 and 2.5 to 2.5.10 and the default configuration is not modified.

II. Struts Scan Tool Introduction

Usage scenario: Verify the existence of vulnerabilities on the periphery of the host.

Prerequisites: need to host a python environment, how to install their own Baidu.

1. Struts Scan tool download address

(1)[Recommended] Lucifer Original on GitHub: https://github.com/Lucifer1993/struts-scan

(2) Backup a copy in Baidu network disk: pan.baidu.com/s/1ji8uTB73gXMFaTyW5r6Jbg Password: 99f4

2. Struts Scan tool usage

(1) Upload the downloaded installation package to any directory of the cloud host, I upload it to/root/struts-scan/

(2) Use method:

· python struts-scan.py http://example.com/index.action detection

python struts-scan.py-u http://example.com/index.action-i struts2-045 Enter specified vulnerability interactive shell

· python struts-scan.py-f url.txt batch detection

Example: python struts-scan.py http://www.baidu.com

Note: If Python is wrong:

Traceback (most recent call last): File "struts-scan.py", line 13, in from termcolor import cprintImportError: No module named termcolor

According to the error report, execute the following command to solve the problem:

yum install python-pip pip install termcolor III. Intrusion/invasion analysis case

1.2017-12-25 The CPU of a cloud tenant continues to be high. After investigation, it is a malicious process named md, located at/var/tmp/.c4k/, and a timed task is added to crontab.

2. Microstep Online is determined as Bitcoin Mining Wood/Horse:

3. Under the website directory/WEB-INF/lib/, the vulnerability struts2 library 2.3.15 was found.

Struts2-045 and Struts2-048 vulnerabilities are determined by struts scan

4. The key steps listed in this article, in fact, in the analysis process we also analyzed the weak password explosion,/var/log/secure log, configuration file server.xml, etc., general analysis refer to my Linux intrusion/intrusion analysis trilogy.

Finally, the focus was on struts2 vulnerability, from which this vulnerability can be used as a checkpoint for website class host ingress/intrusion traceability analysis, included in TSG (Troubleshooting Guide), to improve efficiency.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report