关联漏洞
标题:
Apache Struts 2 输入验证错误漏洞
(CVE-2017-5638)
描述:Apache Struts是美国阿帕奇(Apache)软件基金会的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。 Apache Struts 2 2.3.32之前的2 2.3.x版本和2.5.10.1之前的2.5.x版本中的Jakarta Multipart解析器存在安全漏洞,该漏洞源于程序没有正确处理文件上传。远程攻击者可借助带有#cmd=字符串的特制Content-Type HTTP头利用该漏洞执行任意命令。
描述
This is a sort of Java porting of the Python exploit at: https://www.exploit-db.com/exploits/41570/.
介绍
# struts2_cve-2017-5638
This is a sort of Java porting of the Python exploit at: [https://www.exploit-db.com/exploits/41570/](https://www.exploit-db.com/exploits/41570/).
This software is written to have no external dependencies.
## DISCLAIMER
**This tool is intended for security engineers and appsec guys for security assessments. Please use this tool responsibly. I do not take responsibility for the way in which any one uses this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.**
## Vulnerability info
* **CVE-ID**: CVE-2017-5638
* **Link**: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638)
* **Description**: The Jakarta Multipart parser in **Apache Struts 2** 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted *Content-Type*, *Content-Disposition*, or *Content-Length* HTTP header, as exploited in the wild in March 2017 with a *Content-Type* header containing a *#cmd=* string.
## Help
```
Usage:
java -jar struts2_cve-2017-5638.jar [options]
Description:
Exploiting Apache Struts2 Remote Code Execution (CVE-2017-5638).
Options:
-h, --help
Prints this help and exits.
-u, --url [target_URL]
The target URL where the exploit will be performed.
-cmd, --command [command_to_execute]
The command that will be executed on the remote machine.
--cookies [cookies]
Optional. Cookies passed into the request, i.e. authentication cookies.
-v, --verbose
Optional. Increase verbosity.
```
## Examples
```
java -jar struts2_cve-2017-5638.jar --url "https://vuln1.foo.com/asd" --command ipconfig
```
```
java -jar struts2_cve-2017-5638.jar --url "https://vuln2.foo.com/asd" --command ipconfig --cookies "JSESSIONID=qwerty0123456789"
```
```
java -jar struts2_cve-2017-5638.jar --url "https://vuln3.foo.com/asd" --command dir --cookies "JSESSIONID=qwerty0123456789;foo=bar"
```
## Authors
* **Antonio Francesco Sardella** - *Java porting* - [m3ssap0](https://github.com/m3ssap0)
## License
This project is licensed under the MIT License - see the **LICENSE.txt** file for details.
## Acknowledgments
* [Vex Woo](https://www.exploit-db.com/author/?a=8906) for the original Python exploit.
文件快照
[4.0K] /data/pocs/2c019325b3d0c7bcf83fb379e1d8ce7b1ca9a380
├── [1.1K] LICENSE.txt
├── [2.4K] README.md
└── [4.0K] src
└── [4.0K] com
└── [4.0K] afs
└── [4.0K] exploit
└── [4.0K] struts2
└── [ 11K] Struts2Cve20175638.java
5 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。