Skip to content

m3ssap0/struts2_cve-2017-5638

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 

Repository files navigation

struts2_cve-2017-5638

This is a sort of Java porting of the Python exploit at: https://www.exploit-db.com/exploits/41570/.

This software is written to have no external dependencies.

DISCLAIMER

This tool is intended for security engineers and appsec guys for security assessments. Please use this tool responsibly. I do not take responsibility for the way in which any one uses this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.

Vulnerability info

  • CVE-ID: CVE-2017-5638
  • Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
  • Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Help

Usage:
   java -jar struts2_cve-2017-5638.jar [options]
Description:
   Exploiting Apache Struts2 Remote Code Execution (CVE-2017-5638).
Options:
   -h, --help
      Prints this help and exits.
   -u, --url [target_URL]
      The target URL where the exploit will be performed.
   -cmd, --command [command_to_execute]
      The command that will be executed on the remote machine.
   --cookies [cookies]
      Optional. Cookies passed into the request, i.e. authentication cookies.
   -v, --verbose
      Optional. Increase verbosity.

Examples

java -jar struts2_cve-2017-5638.jar --url "https://vuln1.foo.com/asd" --command ipconfig
java -jar struts2_cve-2017-5638.jar --url "https://vuln2.foo.com/asd" --command ipconfig --cookies "JSESSIONID=qwerty0123456789"
java -jar struts2_cve-2017-5638.jar --url "https://vuln3.foo.com/asd" --command dir --cookies "JSESSIONID=qwerty0123456789;foo=bar"

Authors

  • Antonio Francesco Sardella - Java porting - m3ssap0

License

This project is licensed under the MIT License - see the LICENSE.txt file for details.

Acknowledgments

  • Vex Woo for the original Python exploit.