Now that we have exploited the vulnerabilities of Struts 2 manually and understood the concepts clearly, we'll see how easy it is to exploit the same vulnerability using Metasploit. Using Metasploit makes exploitation much easier. We can search for all the available modules on Struts by performing the following steps:
- Search for struts in the Metasploit console, as shown:
- The following is a demo web application that is running Apache Struts. This application is vulnerable to the S2-013 vulnerability (CVE-2013-1966). Let's look at how we can exploit this vulnerability using Metasploit:
- We load the Metasploit exploit by typing the following command in msfconsole:
use/exploit/multi/http/struts_include_params
- By typing the show options command, we can see the options available, as shown:
Setting the options and running the exploit will give us the command shell. In the event that there is no reverse shell connection, we need to perform a simple egress test to check whether all the ports are allowed from the target server (outbound connection). If the outbound connections are blocked by a firewall, we can always try to get a bind connection via the HTTP tunnel.