Giter Site home page Giter Site logo

struts2-rce's Introduction

DepShield Badge

Exploit Demo for CVE-2017-5638 (Struts2 RCE and CVE-2022-44228 (Log4Shell)

Completely based on https://github.com/piesecurity/apache-struts2-CVE-2017-5638

A realistic scenario where a reference project for a framework is deployed on a container but with terrible consequences. To familiarise yourself look at the code and compile it. Also investigate the dockerfile - does anything specific rise to get our attention?

Shows how easily every day decisions and multiple vulnerabilities in chain can be leveraged.

Usage:

Pre-requisites:

  1. have a JDK installed,
  2. have Docker installed, Docker Desktop for Mac or Win
  3. ideally have Python installed (can be replaced by Jython)

To prepare:

  1. clone this repo
  2. run ./mvnw clean package in project root
  3. run docker build -t hackme \.
  4. run docker run -d -p 9080:8080 hackme
  5. once container comes online - verify by running in browser http://localhost:9080

Notice: if you don't have Docker installed, you can run ./mvnw jetty:run

To begin testing Struts2 RCE - run the exploit.py file:

  • run python exploit.py http://localhost:9080/orders/3 "CMD"
  • If you don't have Python, use the Jython Standalone and
    run java -jar jython*.jar exploit.py http://localhost:9080/orders/3 "CMD"

To begin testing Log4Shell Live - open the web applicaiton Insert known Log4shell strings into text fields and observe the logs in the container. You'll see interesting deets :-)

Try with different CMDs like

  • pwd - where are we?
  • whomai - what user are we running this?
  • ls -la - what's in my directory?
  • ls / - what's my machine
  • ls /etc - what else we can find?

How to Fix!

Use the Nexus Lifecycle Component Information Panel to identify a non-vulnerable version of struts2-core. Update the POM to that version and rebuild. You can also rebuild the Docker image and run it to retry the attack.

Original readme

https://github.com/apache/struts/tree/master/apps/rest-showcase

README.txt - Rest Showcase Webapp

Rest Showcase is a simple example of REST app build with the REST plugin.

For more on getting started with Struts, see 

* http://cwiki.apache.org/WW/home.html

I18N:
=====
Please note that this project was created with the assumption that it will be run
in an environment where the default locale is set to English. This means that
the default messages defined in package.properties are in English. If the default
locale for your server is different, then rename package.properties to package_en.properties
and create a new package.properties with proper values for your default locale.

struts2-rce's People

Contributors

butterb0wl avatar cmyanko avatar hboutemy avatar iletee avatar maurycupitt avatar scherzhaft avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar

struts2-rce's Issues

[DepShield] (CVSS 9.8) Vulnerability due to usage of org.apache.logging.log4j:log4j-core:2.7

Vulnerabilities

DepShield reports that this application's usage of org.apache.logging.log4j:log4j-core:2.7 results in the following vulnerability(s):

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.3) Vulnerability due to usage of commons-beanutils:commons-beanutils:1.9.2

Vulnerabilities

DepShield reports that this application's usage of commons-beanutils:commons-beanutils:1.9.2 results in the following vulnerability(s):


Occurrences

commons-beanutils:commons-beanutils:1.9.2 is a transitive dependency introduced by the following direct dependency(s):

org.apache.struts:struts2-rest-plugin:2.5.10
        └─ net.sf.json-lib:json-lib:2.3
              └─ commons-beanutils:commons-beanutils:1.9.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

get DepShield create issues

DepShield was enabled in #3, which is great when you look at home page with README

DepShield should have created GitHub issues, but it did not: it would be useful to see the security issues found by DepShield, like it happened on original repository https://github.com/CMYanko/struts2-rce/issues
(perhaps finding the issue then getting it back would trigger the creation, I don't know)

[DepShield] (CVSS 7.5) Vulnerability due to usage of dom4j:dom4j:1.6.1

Vulnerabilities

DepShield reports that this application's usage of dom4j:dom4j:1.6.1 results in the following vulnerability(s):


Occurrences

dom4j:dom4j:1.6.1 is a transitive dependency introduced by the following direct dependency(s):

net.sourceforge.jwebunit:jwebunit-htmlunit-plugin:1.4.1
        └─ htmlunit:htmlunit:1.11
              └─ jaxen:jaxen:1.1
                    └─ dom4j:dom4j:1.6.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of org.springframework:spring-core:4.1.6.RELEASE

Vulnerabilities

DepShield reports that this application's usage of org.springframework:spring-core:4.1.6.RELEASE results in the following vulnerability(s):


Occurrences

org.springframework:spring-core:4.1.6.RELEASE is a transitive dependency introduced by the following direct dependency(s):

org.springframework:spring-test:4.1.6.RELEASE
        └─ org.springframework:spring-core:4.1.6.RELEASE

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 5.9) Vulnerability due to usage of com.google.guava:guava:19.0

Vulnerabilities

DepShield reports that this application's usage of com.google.guava:guava:19.0 results in the following vulnerability(s):


Occurrences

com.google.guava:guava:19.0 is a transitive dependency introduced by the following direct dependency(s):

org.richfaces:richfaces-core:4.5.17.Final
        └─ com.google.guava:guava:19.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 10.0) Vulnerability due to usage of org.apache.struts:struts2-core:2.5.10

Vulnerabilities

DepShield reports that this application's usage of org.apache.struts:struts2-core:2.5.10 results in the following vulnerability(s):

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 9.8) Vulnerability due to usage of commons-collections:commons-collections:3.2.1

Vulnerabilities

DepShield reports that this application's usage of commons-collections:commons-collections:3.2.1 results in the following vulnerability(s):


Occurrences

commons-collections:commons-collections:3.2.1 is a transitive dependency introduced by the following direct dependency(s):

org.apache.struts:struts2-rest-plugin:2.5.10
        └─ net.sf.json-lib:json-lib:2.3
              └─ commons-collections:commons-collections:3.2.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 10.0) Vulnerability due to usage of com.fasterxml.jackson.core:jackson-databind:2.6.1

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.6.1 results in the following vulnerability(s):


Occurrences

com.fasterxml.jackson.core:jackson-databind:2.6.1 is a transitive dependency introduced by the following direct dependency(s):

org.apache.struts:struts2-rest-plugin:2.5.10
        └─ com.fasterxml.jackson.core:jackson-databind:2.6.1

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 7.5) Vulnerability due to usage of com.thoughtworks.xstream:xstream:1.4.8

Vulnerabilities

DepShield reports that this application's usage of com.thoughtworks.xstream:xstream:1.4.8 results in the following vulnerability(s):


Occurrences

com.thoughtworks.xstream:xstream:1.4.8 is a transitive dependency introduced by the following direct dependency(s):

org.apache.struts:struts2-rest-plugin:2.5.10
        └─ com.thoughtworks.xstream:xstream:1.4.8

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 9.8) Vulnerability due to usage of commons-fileupload:commons-fileupload:1.3.2

Vulnerabilities

DepShield reports that this application's usage of commons-fileupload:commons-fileupload:1.3.2 results in the following vulnerability(s):


Occurrences

commons-fileupload:commons-fileupload:1.3.2 is a transitive dependency introduced by the following direct dependency(s):

org.apache.struts:struts2-core:2.5.10
        └─ commons-fileupload:commons-fileupload:1.3.2

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

[DepShield] (CVSS 5.8) Vulnerability due to usage of commons-httpclient:commons-httpclient:3.1

Vulnerabilities

DepShield reports that this application's usage of commons-httpclient:commons-httpclient:3.1 results in the following vulnerability(s):

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.