adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c48a6ddbdfc02bf92b8d4e247dbe89bdfba4e821
metasploit-gs/documentation/modules/exploit/multi/http/struts_dmi_exec.md
T

57 lines
2.8 KiB
Markdown
Raw Normal View History

Add module documentation for struts_dmi_exec
2016-05-02 15:43:34 -05:00
struts_dmi_exec is a module that exploits Apache Struts 2's Dynamic Method Invocation,
and it supports Windows and Linux platforms.
## Vulnerable Application
Apache Struts versions between 2.3.20 and 2.3.28 are vulnerable, except 2.3.20.2 and 2.3.24.2.
The application's struts.xml also needs set ```struts.enable.DynamicMethodInvocation``` to true,
and ```struts.devMode``` to false.
For testing purposes, here is how you would set up the vulnerable machine:
1. Download Apache Tomcat
2. Download Java. [Choose an appropriate version](http://tomcat.apache.org/whichversion.html) based on the Apache Tomcat version you downloaded.
3. Download the vulnerable [Apache Struts application](https://github.com/rapid7/metasploit-framework/files/241784/struts2-blank.tar.gz).
4. Install Java first. Make sure you have the JAVA_HOME environment variable.
5. Extract Apache Tomcat.
6. In conf directory of Apache Tomcat, open the tomcat-users.xml file with a text editor.
Add mod doc for struts_dmi_rest_exec and update struts_dmi_exec.md
2016-06-08 23:15:44 -05:00
7. In tomcat-users.xml, add the ```manager-gui``` role
8. In tomcat-users.xml, add the ```manager-gui``` role to a user.
Add module documentation for struts_dmi_exec
2016-05-02 15:43:34 -05:00
9. Remove other users.
10. In a terminal or command prompt, ```cd``` to the bin directory, and run: ```catalina.bat run``` (or catalina.sh). You should have Apache Tomcat running on port 8080.
11. Extract the vulnerable struts app: ```tar -xf struts2-blank.tar.gz```
12. Navigate to the Apache Tomcat server with a browser on port 8080.
13. Click on Manager App
14. In the WAR file to deploy section, deploy struts2-blank.war
15. Stop struts2-blank in the manager app.
16. On the server, ```cd``` to ```apache-tomcat-[version]/webapps/struts2-blank/WEB-INF/classes```, open struts.xml with a text editor.
17. In the XML file, update ```struts.enable.DynamicMethodInvocation``` to true
18. In the XML file, update ```struts.devMode``` to false.
19. Back to Apache Tomcat's manager app. Start the struts2-blank again.
And now you have a vulnerable server.
## Options
**TMPPATH**
By default, the struts_dmi_exec exploit should be ready to go without much configuration. However,
in case you need to change where the payload should be uploaded to, make sure to set the correct
target, and then change the TMPPATH datastore option.
## Scenarios
struts_dmi_exec supports three platforms: Windows, Linux, and Java. By default, it uses Java, so
you don't need to worry about configuring this. Running the module can be as simple as the usage
explained in the Overview section.
However, native payload do have their benefits (for example: Windows Meterpreter has better
support than Java), so if you decide to switch to a different platform, here is what you do:
1. Do ```show targets```, and see which one you should be using
2. Do ```set target [id]```
3. Do ```show payloads```, which shows you a list of compatible payloads for that target.
4. Do: ```set payload [payload name]```
5. Do: ```exploit```
Reference in New Issue Copy Permalink