Shulou(Shulou.com)06/01 Report--

Apache Struts 2 Vulnerability Background 1. Vulnerability Details

On March 6, 2017, Apache Struts 2 was exposed to a remote command execution vulnerability. Under the condition of file upload function based on Jakarta plug-in, malicious users can construct malicious code by modifying the Content-Type value in HTTP request header, execute system commands on the server, completely control the server, and finally achieve the purpose of mining, external attack/attack, data theft extortion, tampering with spinach station, etc. The components required for exploitation are enabled by default and the risk level is high.

2. Vulnerability Number CVE-2017-5638CNNVD-201703-1523. Affected Struts2 Versions Struts 2.3.5 - Struts 2.3.31Struts 2.5 - Struts 2.5.14. Solution

(1) Temporary solution: delete commons-fileupload-x.jar file (which will make upload function unavailable).

(2) Root solution: Upgrade to Apache Struts 2.3.32 or Apache Struts 2.5.10.1 to eliminate vulnerability impact. When version changes are involved, data backup should be done before upgrading.

Patch address:

Struts 2.3.32： https://github.com/apache/struts/releases/tag/STRUTS_2_3_32

Struts 2.5.10.1： https://github.com/apache/struts/releases/tag/STRUTS_2_5_10_1

5. self-detection method

Looking at the struts2-core-x. x.jar file in the web directory/WEB-INF/lib/, the vulnerability exists if x represents a version number between 2.3.5 and 2.3.31 and 2.5 to 2.5.10 and the default configuration is not modified.

II. Struts Scan Tool Introduction

Usage scenario: Verify the existence of vulnerabilities on the periphery of the host.

Prerequisites: need to host a python environment, how to install their own Baidu.

1. Struts Scan tool download address

(1)[Recommended] Lucifer Original on GitHub: https://github.com/Lucifer1993/struts-scan

(2) Backup a copy in Baidu network disk: pan.baidu.com/s/1ji8uTB73gXMFaTyW5r6Jbg Password: 99f4

2. Struts Scan tool usage

(1) Upload the downloaded installation package to any directory of the cloud host, I upload it to/root/struts-scan/

(2) Use method:

· python struts-scan.py http://example.com/index.action detection

python struts-scan.py-u http://example.com/index.action-i struts2-045 Enter specified vulnerability interactive shell

· python struts-scan.py-f url.txt batch detection

Example: python struts-scan.py http://www.baidu.com

Note: If Python is wrong:

Traceback (most recent call last): File "struts-scan.py", line 13, in from termcolor import cprintImportError: No module named termcolor

According to the error report, execute the following command to solve the problem:

yum install python-pip pip install termcolor III. Intrusion/invasion analysis case

1.2017-12-25 The CPU of a cloud tenant continues to be high. After investigation, it is a malicious process named md, located at/var/tmp/.c4k/, and a timed task is added to crontab.

2. Microstep Online is determined as Bitcoin Mining Wood/Horse:

3. Under the website directory/WEB-INF/lib/, the vulnerability struts2 library 2.3.15 was found.

Struts2-045 and Struts2-048 vulnerabilities are determined by struts scan

4. The key steps listed in this article, in fact, in the analysis process we also analyzed the weak password explosion,/var/log/secure log, configuration file server.xml, etc., general analysis refer to my Linux intrusion/intrusion analysis trilogy.

Finally, the focus was on struts2 vulnerability, from which this vulnerability can be used as a checkpoint for website class host ingress/intrusion traceability analysis, included in TSG (Troubleshooting Guide), to improve efficiency.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.