So Apache Struts is a popular web application framework for open source applications that is used to build web applications based on Java. On September 05, 2017, the framework detected a very deadly remote code execution that allowed any remote attacker to execute system commands on any server that used the Apache Struts Framework and the common Rest Plugin to run the application build. The bug was essentially a vulnerability to start with insecure deserialization, but this later led to remote execution of code.
Thanks to the Rest Extension used in the Apache Struts Framework, there was the vulnerability. The Rest plugin used the XStream handler to deserialize XML requests without filtering of any type, so this vulnerability was caused by a specially designed kind XML POST request containing the device commands along with the 'Content-Type' header set to 'application/xml.' If we want a proper understanding and step-by-step process of how vulnerability causes and then go through it please this beautiful blog.
The versions affected are 2.1.2 to 2.3.x prior to 2.3.34 and 2.5.x prior to 2.5.13.
So let's continue with our demonstration.
First of all, we need a vulnerable server or computer running the affected version of struts. The pentester lab already has a server built specifically for this purpose. I'm going to use this particular box as the demo victim. The configuration is very easy, just download it and install the iso file in your VMware (Port 80 of that box didn't work in VirtualBox for some reason so I moved to VMware) and you're good to go. The box can be downloaded fromHere
Even vulnerable to this is the metasploitable 3 box, so you should even carry out your exploit there. And the ability to build your own vulnerable server is also available. You can track the blog Here in case you want to set up your own server and then exploit it.
I will use Kali for assault purposes. You can use any of your options but built with Metasploit.
Now we could use either the python exploit published in exploit db or the Metasploit module to exploit the box / server. Generally speaking, I prefer Metasploit to use Metasploit's XStream struts module. A lightweight working python script could also be used to test and manipulate the struts. The script could be found Here.
3. Now copy that ruby file to the following directory /usr/share/metasploit-framework/modules/exploits/multi/http/ by typing the following command: cp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/
First, we need to set up our remote host (the victim's IP address) and remote port (the port where the struts of the apache are running). So click the commands below.
First set the target form – 2 which is the Linux version as our victim box is based on Linux and together with it set the TARGETURI to /order/3. Enter the following commands as follows:
So that’s for now. See you next time.
Technology dependency in Business are growing, so is the risk. We come across SOS situation every now and then due to Cyber Crime.
Infopercept SOS model is like vaccine which immunize against threat at various levels
H-1209, Titanium City Center,
Anand Nagar Road, Satellite Road,
Ahmedabad – 380 015