Fetching contributors…
Cannot retrieve contributors at this time
48 lines (27 sloc) 1.53 KB

struts2_rest_xstream is a module that exploits Apache Struts 2's REST plugin, using the XStream handler to deserialise XML requests perform arbitrary code execution.

Vulnerable Application

Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12

You can download these versions here with any version of Apache Tomcat:

You will also need to install a Struts 2 showcase application, which can be found here:



The path to a struts application action


The HTTP server virtual host. You will probably need to configure this as well, even though it is set as optional.


The Check Command

The struts2_rest_xstream module comes with a check command that can effectively check if the remote host is vulnerable or not. To use this, configure the msfconsole similar to the following:

set VERBOSE true
set RHOST [IP]
set TARGETURI [path to the Struts app with an action]

When the module is in verbose mode, the check command will try to tell you the OS information, and whether or not the machine is vulnerable. Like this:

msf exploit(struts2_rest_xstream) > check

[+] The target appears to be vulnerable.

Exploiting the Host

After identifying the vulnerability on the target machine, you can try to exploit it. Be sure to set TARGETURI to the correct URI for your application, and the TARGET variable for the appropriate host OS.