CVE-2017-5638 PoC — Apache Struts 2 输入验证错误漏洞

Source

Associated Vulnerability

Title:Apache Struts 2 输入验证错误漏洞 (CVE-2017-5638)
Description:The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Description

An exploit (and library) for CVE-2017-5638 - Apache Struts2 S2-045 bug.

Readme

# Struts2Shell

An exploit (and library) for CVE-2017-5638 - Apache Struts2 S2-045 bug.

## Installation

```sh
$ npm install -g struts2shell
```

## Installation as Library

```sh
$ npm install struts2shell
```

## Command Line Options
    -h, --help           output usage information
    -V, --version        output the version number
    -u, --url [target]   URL to Attack
    -c, --cmd [command]  Command to Execute

## Usage as Library

```javascript
var Struts2Shell = require('struts2shell');
Struts2Shell({
	URL: 'http://example.com/some.action',
	CMD: 'dir'
}, function(err, response,body) {
    if(err) throw err;
    console.log(body)
})
```

## Screenshot

![Struts2Shell](https://raw.githubusercontent.com/jpacora/Struts2Shell/master/screenshot.png)


License
----

MIT


**Free Software, Hell Yeah!**

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!