This is a sort of Java porting of the Python exploit at: https://www.exploit-db.com/exploits/41570/.
This software is written to have no external dependencies.
This tool is intended for security engineers and appsec guys for security assessments. Please use this tool responsibly. I do not take responsibility for the way in which any one uses this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.
- CVE-ID: CVE-2017-5638
- Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
- Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Usage:
java -jar struts2_cve-2017-5638.jar [options]
Description:
Exploiting Apache Struts2 Remote Code Execution (CVE-2017-5638).
Options:
-h, --help
Prints this help and exits.
-u, --url [target_URL]
The target URL where the exploit will be performed.
-cmd, --command [command_to_execute]
The command that will be executed on the remote machine.
--cookies [cookies]
Optional. Cookies passed into the request, i.e. authentication cookies.
-v, --verbose
Optional. Increase verbosity.
java -jar struts2_cve-2017-5638.jar --url "https://vuln1.foo.com/asd" --command ipconfig
java -jar struts2_cve-2017-5638.jar --url "https://vuln2.foo.com/asd" --command ipconfig --cookies "JSESSIONID=qwerty0123456789"
java -jar struts2_cve-2017-5638.jar --url "https://vuln3.foo.com/asd" --command dir --cookies "JSESSIONID=qwerty0123456789;foo=bar"
- Antonio Francesco Sardella - Java porting - m3ssap0
This project is licensed under the MIT License - see the LICENSE.txt file for details.
- Vex Woo for the original Python exploit.