apache-struts2 CVE-2017-5638, CVE-2017-9791, CVE-2018-11776
Demo Application and Exploit
Sample Apache Struts2 App
Exploit Reference: rapid7/metasploit-framework#8064
Extending for CVE-2017-9791 (notes from hook);
bit of confusion when I found the original exploit_S2-048.py in the source upon first commit, but still publishing this as it reintroduces windows' platform check in the payload.
thanks to piesecurity for providing the Dockerfile for setting up the lab