From small beginnings comes great things
Great begins with small
This year, struts2 is crazy, and many high-risk vulnerabilities have been exploded. I have studied s_045 and s_046 vulnerabilities before, and recently there was a s_052 vulnerability. The s_052 vulnerability is slightly less dangerous, because the environment is more demanding and requires the XStream component of the Struts2 REST plugin.
Disclaimer: * The tools in the article are for personal testing and research. Please delete them within 24 hours after downloading. Do not use them for commercial or illegal purposes.
The s2-052 vulnerability is when the user uses the Struts-REST plugin with the XStream component to deserialize the XML format packet. The data content is not validated and the malicious code can be inserted directly into the packet.
Vulnerability ID: CVE-2017-9805 (S2-052)
Note: The place to execute the command is in the command, here is the pop-up calculator for mac, if it is windows can be changed to calc.exe
Before installing tomcat, first check if there is java installed on the mac, you can run java -version.
Go to the tomcat website to download: http://tomcat.apache.org/download-80.cgi?from_33lc.com Select to download the tar.gz package under the Core to the local, and then extract.
After extracting, move the folder to the /Library directory and name it Tomcat; then set the permissions:
Go to the /Library/Tomcat/bin/ directory and run boot tomcat.
Note: To modify the tomcat port, open the /Library/Tomcat/conf/server.xml file and modify port 8080.
Write a startup to close the tomcat script:
Write the following to the tomcat file (create it yourself)
Give file permissions:
Add an environment variable:
Then run the startup to close tomcat:
Note: The linux and windows installation tomcat methods are similar, and will not be demonstrated here.
After downloading the last affected version [struts-2.5.12] (http://archive.apache.org/dist/struts/2.5.12/struts-2.5.12-apps.zip) from the official website of struts2, The struts2-rest-showcase.war file in the apps directory is placed in the webapps directory (/Library/Tomcat/webapps) and restarted after tomcat: http://127.0.0.1:8080/struts2-rest-showcase/
Since the port monitored by burpsuite is also 8080, I changed the port of tomcat to 8081.
You can use the above poc package directly, or you can grab the packet replay yourself. The way to grab it yourself is to click on the edit on the page, then click submit to submit the post package, and then modify the body field of the post for this vulnerability. Poc.
The most used poc on the Internet is popping up a calculator. However, I tested on the mac and found that the popup calculator failed. Therefore, I changed the poc to write the file and found the test to be successful.
Write the file poc: (will generate vuln file under /tmp/)
Bullet calculator poc
Marshalsec-0.0.1-SNAPSHOT-all.jar can be downloaded online, no address is given here, search by yourself.
- Upgrade Struts to the latest version of 2.5.13.
- Remove the Struts REST plugin when not in use, or only on server normal pages and JSONs
[struts2-046 vulnerability] (http://thief.one/2017/03/21/Struts2-046%E6%BC%8F%E6%B4%9E/)
[struts2_045 vulnerability] (http://thief.one/2017/03/07/Struts2-045%E6%BC%8F%E6%B4%9E/)
[struts2 vulnerability poc summary] (http://thief.one/2017/03/13/Struts2%E6%BC%8F%E6%B4%9EPOC%E6%B1%87%E6%80%BB/)