Apache Struts REST Plugin XStream XML Deserialization RCE

This repository is a small standalone proof-of-concept exploit for Apache Struts S2-052 XML deserialization RCE (CVE-2017-9805). The main file, exploit.py, is a Python 3 script using the requests library to POST a crafted application/xml body to a user-specified target URL. The XML payload is a malicious XStream object graph that reaches java.lang.ProcessBuilder and invokes start(), executing an operator-controlled shell command through /bin/sh -c on the remote server. The script itself is simple and operational: it accepts two arguments (target URL and command), sends the exploit, and prints the HTTP status code and response length. Repository structure is minimal: README.md documents the vulnerability, affected Struts versions, and exploitation concept; exploit.py contains the actual exploit logic; detection.xml, payload.xml, and reverse-shell.xml are helper payload examples showing command arrays for touch /tmp/pwned, whoami, and a bash reverse shell respectively. There is no framework integration, no target discovery logic, and no automated listener or session handling. The exploit capability is direct unauthenticated remote command execution against vulnerable Struts REST endpoints that deserialize XML. Because the command is operator-supplied and the repository includes a reverse shell template, the code is more than a pure POC but still basic and hardcoded enough to classify as OPERATIONAL rather than weaponized.

Repository contains a minimal proof-of-concept exploit for Apache Struts2 S2-052 (CVE-2017-9805) implemented as a single Python script plus a short README. Structure: - README.md: states this is an S2-052 PoC and shows how to run it. - struts20179805.py: standalone Python3 exploit that crafts a raw HTTP request and sends it over TLS. How it works: - Builds a raw HTTP/1.1 PUT request with Content-Type: application/xml and a hardcoded JSESSIONID cookie. - The request body is a known XStream deserialization gadget chain (using classes like javax.imageio.ImageIO$ContainsFilter and java.lang.ProcessBuilder) intended to trigger server-side deserialization and execute an OS command. - Payload is lab-specific: executes /usr/local/bin/score UUID. - Sends the packet to a hardcoded host over HTTPS (port 443) with TLS verification disabled. - Reads the full response and prints the first 1000 bytes; uses simple heuristics: - If HTTP 500 is present and "ContainsFilter" is not, it reports likely execution. - If "ContainsFilter" appears, it reports an XStream field error (no execution). Notable limitations/assumptions: - Target host and URI are hardcoded (host: ptl-...libcurl.me, uri: /orders/3). - Cookie and UUID are hardcoded placeholders; comments instruct manual editing. - No interactive shell; only executes a fixed command (operational but not highly flexible).

This repository contains a proof-of-concept (POC) exploit for CVE-2017-9805, a critical remote code execution vulnerability in the Apache Struts 2 REST plugin due to unsafe Java deserialization. The main file, 'CVE-2017-9805.py', is a Python script that sends a specially crafted XML payload to a user-specified URL (the vulnerable endpoint). The payload leverages Java deserialization to execute arbitrary system commands on the target server using ProcessBuilder. The script allows the user to specify the target URL and command, but the payload must be manually edited to insert the desired command or reverse shell. The README provides a brief description of the vulnerability. No hardcoded endpoints are present; the target is specified at runtime. The exploit is a standalone POC and not part of a larger framework.

This repository contains a Python exploit script (struts-pwn.py) targeting Apache Struts 2 REST plugin vulnerability CVE-2017-9805. The exploit works by sending a specially crafted XML payload to a target URL, exploiting a Java deserialization flaw to achieve remote code execution via ProcessBuilder. The script supports both single and batch URL targeting, with options to check for vulnerability or execute arbitrary commands (default: 'touch /tmp/struts-pwn'). The README provides usage instructions and example endpoints. The only code file is struts-pwn.py, which is self-contained and requires Python and the requests library. The exploit is operational and can be used to verify and exploit vulnerable Struts 2 instances accessible over HTTP(S).

This repository is a Go-based exploit tool targeting Apache Struts servers vulnerable to CVE-2017-9805 (Java deserialization RCE in the REST plugin). The main file, main.go, provides two primary modes: (1) direct exploitation of a single target by sending a crafted XML payload that executes an arbitrary command, and (2) batch mode, which reads a list of targets from a file, sends a payload to each that attempts to execute a curl command back to the attacker's listener, and confirms exploitation by receiving callbacks. The tool uses a custom XML payload to trigger the vulnerability and supports user-supplied commands. It also determines the attacker's external IP using http://checkip.amazonaws.com for callback payload construction. The code is operational and can be used to both exploit and verify RCE on vulnerable Struts instances. The repository contains a README with usage instructions and a single Go source file implementing the exploit logic.

This repository contains a Python exploit script (s2-052.py) targeting the Apache Struts2 S2-052 (CVE-2017-9805) vulnerability, which is a remote code execution flaw in the XStream REST plugin. The exploit works by crafting a malicious XML payload that leverages Java deserialization to execute arbitrary shell commands on the target server. The script takes a target URL and a command to execute, parses the target to extract the IP, port, and URI, and sends the exploit as an HTTP POST request. The README provides usage instructions and a demonstration, including example IP addresses and endpoints. The exploit is operational, allowing attackers to run arbitrary commands on vulnerable servers. The repository consists of two files: a README.md with documentation and s2-052.py containing the exploit logic. The main entry point is s2-052.py, written in Python, and the attack vector is network-based, requiring access to the vulnerable HTTP endpoint.

This repository contains a single Python exploit script (cve-2017-9805.py) targeting CVE-2017-9805, a remote code execution vulnerability in Apache Struts 2.5-2.5.12 with the REST plugin. The exploit improves upon previous public scripts by using proper XML encoding, argument parsing, and command injection handling. The script takes a target URL and a command to execute, crafts a malicious XML payload with the command base64-encoded, and sends it via an HTTP POST request to the specified Struts endpoint. Upon successful exploitation, the command is executed on the target server. The repository also includes a README describing the improvements and a standard MIT license. The main attack vector is network-based, requiring access to a vulnerable Struts HTTP endpoint. The script is operational and suitable for demonstrating the vulnerability or for penetration testing with proper authorization.