关联漏洞
标题:
Apache Struts 2 输入验证错误漏洞
(CVE-2017-5638)
描述:Apache Struts是美国阿帕奇(Apache)软件基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 2 2.3.32之前的2 2.3.x版本和2.5.10.1之前的2.5.x版本中的Jakarta Multipart解析器存在安全漏洞,该漏洞源于程序没有正确处理文件上传。远程攻击者可借助带有#cmd=字符串的特制Content-Type HTTP头利用该漏洞执行任意命令。
描述
This repository provides a PoC for CVE-2017-5638, a remote code execution vulnerability in Apache Struts 2, exploitable via a crafted Content-Type HTTP header.
介绍
# CVE-2017-5638 Apache Struts 2 RCE Proof of Concept
This repository contains a Proof of Concept (PoC) script demonstrating the Remote Code Execution (RCE) vulnerability identified as **CVE-2017-5638** in Apache Struts 2.
## Vulnerability Details
- **CVE ID:** [CVE-2017-5638](https://nvd.nist.gov/vuln/detail/CVE-2017-5638)
- **Affected Software:** Apache Struts 2 versions prior to 2.3.32 and 2.5.10.1
- **Vulnerability Type:** Remote Code Execution
- **Attack Vector:** Remote, via crafted Content-Type HTTP header
## Description
An error in the handling of the `Content-Type` header in file upload requests allows attackers to execute arbitrary OGNL expressions. This can lead to full system compromise.
## Contents
- `exploit.py`: PoC script to demonstrate the vulnerability
- `README.md`: Instructions on setting up a vulnerable environment and running the PoC
- `docs/`: Additional documentation and analysis of the vulnerability
## Disclaimer
**This project is for educational purposes only. Unauthorized use of this code against any system without permission is illegal and unethical.**
文件快照
[4.0K] /data/pocs/2b4092947dec3225cd3c32b5ce8c0817f8c1fe2b
├── [4.0K] docs
│ └── [ 1] CVE-2017-5638-Analysis.md
├── [4.0K] PoC
│ ├── [ 1] exploit.py
│ └── [ 1] requirements.txt
├── [1.1K] README.md
└── [4.0K] Vulnerable-Setup
└── [ 1] VM-Setup.md
3 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。