1. 환경 구성
Attacker : Kali Linux
Vicim : Windows 7
2. 기본 환경 설정
1) Windows7
(1) JDK install (java SE 8u161)
- https://www.oracle.com/technetwork/java/javase/downloads/java-archive-javase8-2177648.html
(jdk-8u161-windows-x64.exe)
(2) Tomcat 7.0 install
- https://tomcat.apache.org/download-70.cgi
(apache-tomcat-7.0.99-windows-x64)
(3) Struts2 install (Apache Struts 2.1.2 ~ 2.3.33 / 2.5 ~ 2.5.12)
- https://repo1.maven.org/maven2/org/apache/struts/struts2-showcase/2.3.31/
(struts2-showcase-2.3.31.war)
(4) Eclipse install (J2EE Developer)
- https://www.eclipse.org/downloads/packages/
(eclipse-inst-win64)
(5) Eclipse 환경 설정
- Eclipse > Window > Perferences
- Server > Runtime Evnironments > Add... > Tomcat installation directory > JRE > Finish
- File > Import > Web > WAR file > struts2-showcase-2.3.31.war
- Project Explorer > struts-showcase-2.3.31 > Run As > Run on Server
- http://localhost:8080/struts2-showcase-2.3.31/index.action
3. Apache Struts2 Exploit code
1) Kali Linux
- git clone git clone https://github.com/immunio/apache-struts2-CVE-2017-5638
- 코드 다운로드 후 .py파일 내 url 수정 필요
- ./exploit3.py (명령어)
