Apache Struts Jakarta Multipart Parser Remote Code Execution

This repository is a self-contained Docker attack-emulation lab rather than a single standalone exploit. It implements an operational multi-stage kill chain centered on two real vulnerabilities: CVE-2017-5638 against Apache Struts 2.3.28 for initial foothold, and CVE-2021-41773 against Apache HTTP Server 2.4.49 for path traversal and RCE on the final target. The repository structure is organized into: (1) attacker/exploits/, containing Bash scripts for recon, direct exploitation, foothold establishment, pivoting, and full-chain orchestration; (2) docker-compose.yml, which defines the lab topology with attacker, vulnerable targets, supporting infrastructure, and two Suricata IDS sidecars; (3) scripts/, which provide setup, attack dispatch, alert tailing, and teardown; and (4) Dockerfiles for the attacker, vulnerable web server, Struts host, and Suricata sensors. Main exploit capabilities: recon.sh performs ICMP sweep, TCP connect scans, service fingerprinting, HTTP HEAD banner grabs, and SSH probing across the 172.28.0.0/24 lab subnet. foothold_struts.sh delivers an OGNL injection in the Content-Type header to exploit Struts S2-045 and execute arbitrary shell commands via /bin/bash -c. exploit_cve_2021_41773.sh directly attacks Apache httpd 2.4.49 by first reading /etc/passwd through encoded traversal and then POSTing commands to /bin/sh through the vulnerable cgi-bin path, checking for uid=0 to indicate root compromise. pivot_struts_to_web.sh is the most notable lateral movement component: it uses the Struts RCE to run a base64-decoded Bash script on the compromised web-struts host, which then opens a raw TCP socket with /dev/tcp to web-vuln:80 and sends the CVE-2021-41773 exploit request from an internal source. Optional legacy scripts foothold_ssh.sh and pivot_attack.sh simulate credential abuse and SSH-based pivoting using sshpass. The exploit is real and functional within the intended lab. It is not merely a detector, although the repository also includes Suricata rules to observe the attack. The payloads are basic but operational Bash command-execution payloads, with hardcoded defaults and user-supplied command support. The web-vuln Dockerfile explicitly enables mod_cgi in Apache so the CVE-2021-41773 RCE path works. Overall, the repository’s purpose is to emulate attacker behavior and defender telemetry across a realistic multi-host environment, especially to demonstrate how initial access on one host can be chained into internal lateral movement and final compromise on another host.

This repository is a complete educational recreation of CVE-2017-5638, the Apache Struts 2 OGNL injection vulnerability that leads to unauthenticated remote code execution. It is not just documentation: it contains a working PowerShell exploit, a vulnerable Java/Maven Struts2 backend pinned to Struts 2.3.28, and trimmed reference source files from Struts/XWork/OGNL that explain the exploit chain. Primary exploit capability: the PowerShell script in simulation/attack-script/exploit_cve_2017_5638.ps1 sends an HTTP POST to a Struts upload endpoint and places an OGNL payload in the Content-Type header. The payload abuses the multipart parser error path to reach LocalizedTextUtil.findText(), clears OgnlUtil blacklist sets, switches to OgnlContext.DEFAULT_MEMBER_ACCESS, and executes arbitrary OS commands via Runtime.getRuntime().exec(). The script supports a safe demo mode, full command execution, custom commands, and diagnostic stages. It also includes logic to capture command output and write it back into the HTTP response body, making the exploit immediately useful for verification and post-exploitation. Target surface: the simulated backend exposes /upload.action and /upload.jsp on localhost:8080. The vulnerable configuration is explicit in simulation/backend/src/main/resources/struts.xml, which sets struts.multipart.parser to jakarta, and in WEB-INF/web.xml, which maps the Struts filter to all paths. UploadAction.java is the nominal upload handler, but the exploit occurs before execute() is reached because multipart parsing happens during request wrapping. Repository structure: - simulation/attack-script/: operational exploit tooling in PowerShell, including an interactive launcher (run.ps1). - simulation/backend/: deployable vulnerable Struts2 webapp with Maven/Tomcat configuration, upload UI, action class, and a demo credential store in users.yaml. - struts-src-code/: curated excerpts of Dispatcher, MultiPartRequestWrapper, JakartaMultiPartRequest, PrepareOperations, StrutsPrepareAndExecuteFilter, ActionContext, OgnlUtil, and OgnlContext showing the exact vulnerable call chain and sandbox bypass primitives. - diagrams/ and markdown notes: explanatory material, attack-chain diagrams, and OGNL background. Notable post-exploitation objective: the repo models credential theft by storing fake usernames/passwords in data/users.yaml and providing a menu option that runs the command type data\users.yaml after RCE. Overall, this is an operational proof-of-concept exploit plus a lab environment for demonstrating and studying CVE-2017-5638 end to end.

Repository is a self-contained educational recreation of CVE-2017-5638 (Apache Struts2 OGNL injection/RCE). It contains two main components: (1) a vulnerable Java/Maven Struts2 backend under simulation/backend and (2) a PowerShell exploit under simulation/attack-script. The backend intentionally pins Struts2 to 2.3.28 in pom.xml, enables the vulnerable Jakarta multipart parser in struts.xml, maps the Struts filter across all URLs in web.xml, and exposes /upload.action via UploadAction.java. The exploit does not rely on authentication or a valid file upload; it sends a crafted POST request whose Content-Type header contains OGNL. The payload clears OGNL exclusion lists, sets DEFAULT_MEMBER_ACCESS, executes an attacker-controlled OS command, captures output, and writes it back in the HTTP response. Demo mode uses arithmetic/string output to prove evaluation without OS command execution. The run.ps1 wrapper offers menu-driven execution including whoami, diagnostics, and a credential-exfiltration example using type data\users.yaml. Supporting files include upload.jsp and success.jsp for normal app behavior, UserService.java plus users.yaml as a mock sensitive data source, and markdown notes explaining OGNL injection and the Equifax context. Overall, this is a real exploit repository with an operational PoC and a matching vulnerable lab target, focused on unauthenticated web-based RCE and simple post-exploitation data theft.

This repository provides a complete proof-of-concept (POC) environment and exploit for CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts2. The repository contains a Dockerfile that builds a vulnerable environment using Ubuntu, Tomcat 9, and Apache Struts2 version 2.3.30, deploying the struts2-showcase application. The exploit itself is implemented in Python (exploit/CVE-2017-5638.py), which sends a specially crafted HTTP request to a target Struts2 endpoint, injecting an OGNL payload via the Content-Type header. This payload bypasses security restrictions and executes arbitrary OS commands on the server, returning the output in the HTTP response. The run.sh script automates the process of building the Docker image, running the vulnerable container, and executing the exploit against the local instance. Documentation is provided in README.md and a detailed technical explanation in docs/TECHNICAL_EXPLANATION.md. The exploit is operational, requiring a vulnerable Struts2 instance accessible over HTTP, and demonstrates real command execution on the target.

This repository is a comprehensive security lab for demonstrating and exploiting the Apache Struts2 S2-045 (CVE-2017-5638) vulnerability. The structure includes both a vulnerable application (Struts 2.3.31) and a patched application (Struts 6.3.x), each with their own Dockerfiles and source code. The vulnerable app exposes a file upload endpoint (/upload) that is susceptible to OGNL injection via a malicious Content-Type header, allowing remote code execution. The exploit is demonstrated via both a Bash script (demo_exploit.sh) and a Python script (exploit.py), which craft multipart/form-data POST requests with OGNL payloads in the Content-Type header to execute arbitrary system commands on the server. The repository also includes detailed documentation, a defense lab with WAF rules (nginx), and a simulator for testing detection patterns. The main exploit capability is remote code execution on the vulnerable Struts2 instance via network-accessible HTTP endpoints. The repository is well-structured for both offensive and defensive security training, with clear separation between vulnerable and patched components.

This repository demonstrates real-world software vulnerabilities and their exploitation, focusing on Apache Struts2 CVE-2017-5638 (Remote Code Execution) and related security concepts. The main exploit is in 'CVE-2017-5638.py', which uses a PowerShell command to send a crafted HTTP POST request to 'http://localhost:8080/' with a malicious Content-Type header containing an OGNL payload. This payload, if processed by a vulnerable Struts2 server, results in the addition of a custom header to the HTTP response, indicating successful code execution. 'Demos.ipynb' is a Jupyter notebook that provides a broader educational context, including server setup (using Flask), attack simulation, and defense strategies such as input sanitization and TLS validation. It also demonstrates data exfiltration via a simulated HTTPS endpoint ('/secure-data') using an expired self-signed certificate, highlighting the risks of improper certificate validation. The repository is structured for educational purposes, with clear separation between exploit code, demonstration notebooks, and documentation. It targets Apache Struts2 installations vulnerable to CVE-2017-5638 and provides both offensive (exploit, exfiltration) and defensive (monitoring, sanitization, TLS best practices) perspectives.

This repository contains a proof-of-concept exploit for CVE-2017-5638, a remote code execution vulnerability in Apache Struts2. The main file, 'exploit.py.txt', is a Python script that sends a specially crafted HTTP POST request to a Struts2 file upload endpoint. The exploit leverages an OGNL injection in the 'Content-Type' header to execute arbitrary system commands on the target server. The default payload executes 'ls /' (or the Windows equivalent) and returns the output. The script is operational and demonstrates successful exploitation if the target is vulnerable. The only hardcoded endpoint is 'http://localhost:8081/struts2-showcase/fileupload/multipleUploadUsingList.action', which can be modified to target other hosts. The repository is minimal, containing only a README and the exploit script.

This repository contains a Python proof-of-concept exploit for CVE-2017-5638, a remote code execution vulnerability in Apache Struts 2. The main file, Runner.py, takes a target URL and a command as arguments. It crafts a malicious 'Content-Type' HTTP header containing an OGNL expression that triggers the vulnerability, allowing arbitrary command execution on the target server. The exploit sends a GET request to the specified URL with the crafted header and prints the response, which should contain the output of the executed command if the target is vulnerable. The repository structure is simple, with a README.md providing usage instructions and a single Python exploit script. No hardcoded endpoints are present; the user supplies the target URL at runtime.

This repository contains a Python exploit script (CVE-2017-5638.py) targeting the Apache Struts 2 vulnerability CVE-2017-5638, which allows for remote code execution via OGNL injection in the Content-Type header of HTTP requests. The script requires the user to specify a target URL ending in '.action' (typical for Struts 2 endpoints) and a command to execute. It crafts a malicious Content-Type header containing OGNL expressions that, when processed by a vulnerable Struts 2 server, result in arbitrary command execution. The output of the command is returned in the HTTP response. The repository also includes a README.md with usage instructions and warnings. No hardcoded endpoints are present; the user supplies the target at runtime. The exploit is operational, providing real command execution if the target is vulnerable.

This repository provides a full proof-of-concept (POC) environment and exploit for CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts 2.5.10. The repository includes: - A Dockerfile and a Bash setup script to build a vulnerable server environment running Tomcat and Struts 2.5.10 on Debian, exposing port 8080. - Instructions and scripts to install Java, Tomcat, Maven, and deploy a vulnerable Struts web application. - 'exploit.py', a Python script that sends a malicious HTTP POST request with a specially crafted Content-Type header containing an OGNL payload. This payload exploits the Struts vulnerability to execute arbitrary system commands on the server. - 'pwn-page.jsp', a defacement page indicating successful exploitation. The main exploit capability is remote code execution via network (HTTP POST) against a vulnerable Struts server. The exploit is generic and allows the attacker to specify any command to run on the target. The repository is structured to facilitate both local testing (via Docker) and exploitation of remote targets running the vulnerable software. No hardcoded IPs or domains are present, but the default setup exposes the Tomcat server on port 8080. The exploit is a POC and does not include advanced features such as persistence or privilege escalation.

This repository provides a Bash-based exploit and mass scanner for the Apache Struts 2 vulnerability CVE-2017-5638. The structure includes two main directories: 'Exploiter' and 'MassScanner'. - 'Exploiter/Exploit.sh' is an interactive exploit script that takes a target URL (e.g., http://site.com/log.action) and allows the user to execute arbitrary shell commands on the vulnerable server by sending a specially crafted HTTP request exploiting OGNL injection in the Content-Type header. The output of the command is returned to the user. - 'MassScanner/Scan.sh' is a mass scanning script that takes a file containing a list of URLs and checks each for vulnerability to CVE-2017-5638 by sending a test payload and looking for a specific response. It reports which URLs are vulnerable. - README files provide usage instructions for both scripts, and the root README clarifies the purpose: to detect and exploit the Apache Struts 2 vulnerability. No hardcoded IP addresses or domains are present, but the scripts require the user to supply target URLs. The exploit is operational, providing real command execution on vulnerable targets, and is not part of a larger exploitation framework.

This repository provides a complete environment for demonstrating and exploiting CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts2 (S2-045). The structure includes a Dockerfile and supporting scripts to build and run a vulnerable Struts2 web application (Java, Spring Boot, Struts2 2.5) on port 8080. The main exploit is implemented in 'exploit/exploit.py', a Python script that sends a specially crafted HTTP request to a target endpoint (e.g., /hello) with a malicious Content-Type header containing an OGNL expression. This expression triggers arbitrary command execution on the server. The repository also includes configuration files (pom.xml, web.xml, struts.xml) and a sample vulnerable JSP page. The exploit is operational: it allows the attacker to specify any system command to execute and returns the output. The README provides clear instructions for setting up the vulnerable environment and running the exploit. No detection-only scripts are present; the exploit is functional and demonstrates real-world impact.

This repository contains an operational exploit for Apache Struts2 CVE-2017-5638, a critical remote code execution vulnerability. The main exploit script, 'struts-pwn.py', is a Python tool that allows users to test single or multiple URLs for the vulnerability and, if vulnerable, execute arbitrary system commands on the target server. The exploit works by sending a specially crafted OGNL payload in the 'Content-Type' HTTP header, which is interpreted by the vulnerable Struts2 server, leading to command execution. The script supports both detection (checking for vulnerability) and exploitation (executing commands), and can process a list of targets from a file. The repository is structured with a main Python script, a requirements file listing dependencies (argparse, requests), a README with usage instructions and legal disclaimer, and a license file. The exploit is not part of a larger framework and is self-contained. The primary attack vector is network-based, targeting web servers running vulnerable Struts2 endpoints.

This repository provides a proof-of-concept (PoC) exploit for CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts 2. The main exploit is implemented in 'PoC/exploit.py', a Python script that allows the user to check if a target URL is vulnerable and, if so, execute arbitrary system commands on the server by exploiting a flaw in the handling of the 'Content-Type' HTTP header. The script constructs a malicious OGNL payload and injects it via the 'Content-Type' header in an HTTP request to the target. The repository also includes setup instructions for creating a vulnerable environment using Apache Tomcat and a vulnerable version of Struts 2, as well as documentation and a requirements file. The exploit is a standalone PoC, not part of a larger framework, and is intended for educational and testing purposes only.

This repository contains a Bash script exploit for CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts2 (versions 2.3.5 < 2.3.32 and 2.5 < 2.5.10.1). The exploit works by sending a specially crafted HTTP POST request to a Struts2 file upload endpoint, injecting a malicious OGNL expression in the Content-Type header to execute arbitrary system commands on the server. The script takes two arguments: the target URL and the command to execute. It then constructs and sends the exploit payload, displaying the output of the executed command. The repository is simple, containing only a README and the exploit script, and is operational with a customizable payload. The main attack vector is network-based, targeting HTTP endpoints exposed by vulnerable Struts2 applications.

This repository contains a demonstration of a Web Application Firewall (WAF) and an exploit script for Apache Struts 2 CVE-2017-5638. The main files are: - server.py: Implements a simple Flask web server with a WAF middleware that blocks requests containing certain suspicious patterns. This is for demonstration and does not represent a real-world WAF. - vulnerable.py: A Python script that checks if a given URL is vulnerable to CVE-2017-5638 and, if so, can execute arbitrary commands on the target server by exploiting the OGNL injection vulnerability in the Content-Type header. The script allows the user to check for vulnerability or execute a specified command remotely. The exploit is operational: it provides a working payload for remote command execution and can be used to test or exploit vulnerable Apache Struts 2 instances. The only hardcoded endpoint is the Flask demo server (http://127.0.0.1:5000/), but the exploit script is designed to target arbitrary URLs provided by the user. The repository is structured for educational and demonstration purposes, showing both a basic WAF concept and a real-world exploit.

This repository provides multiple proof-of-concept (PoC) scripts for exploiting CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts 2. The main exploit script (cve-2017-5638.py) is a Python program that sends a specially crafted HTTP request to a target URL, injecting a malicious OGNL expression via the Content-Type header. This payload enables arbitrary command execution on the vulnerable server, as demonstrated by the ability to list directories and files on the target system. The repository also includes a one-line Python PoC (one-line-poc.py) and a curl command example (curl-poc-for-cve-2017-5638.txt), both of which use the same OGNL payload. The sample-output.txt file shows successful exploitation, including directory listings from a Windows server. The exploit is operational, allowing the user to specify arbitrary commands to execute on the target. The repository targets Apache Struts 2 installations vulnerable to CVE-2017-5638 and is intended for security testing and demonstration purposes.

This repository contains a Python script (CVE-2017-5638.py) that exploits the Apache Struts2 CVE-2017-5638 remote code execution vulnerability. The script reads a list of target URLs from a file provided as a command-line argument and attempts to exploit each by sending a specially crafted HTTP request with a malicious Content-Type header. The payload leverages OGNL injection to execute arbitrary system commands on the target server. The script is multithreaded, launching a new thread for each target. The README is minimal and provides only the exploit's name. The repository is focused and operational, providing a working exploit for remote code execution against vulnerable Apache Struts2 installations.

This repository is a complete exploit demonstration for CVE-2017-5638, a critical remote code execution vulnerability in Apache Struts2 (S2-045). The structure includes a vulnerable Struts2 REST showcase web application (Java, Maven, JSP, XML), Dockerfile for containerized deployment, and a Python exploit script (exploit.py). The exploit works by sending a specially crafted HTTP request with a malicious Content-Type header containing an OGNL payload, which is interpreted by the vulnerable Struts2 server, resulting in arbitrary command execution. The README provides clear instructions for building and running the vulnerable app in Docker, and for using the exploit script to execute arbitrary commands on the server. The repository also contains test cases for the web application, but the main exploit capability is in exploit.py, which targets the /orders/<id> endpoint of the running Struts2 app. The exploit is operational, providing real RCE, and is not just a detection script. The endpoints and file paths in the repo are typical for Struts2 Java webapps and Dockerized deployments. This repository is a practical demonstration environment for security testing and research on Struts2 RCE vulnerabilities.

This repository contains a Python script ('rogueApache.py') that exploits the Apache Struts 2 CVE-2017-5638 remote code execution vulnerability. The exploit works by sending a specially crafted Content-Type header containing an OGNL payload to each URL listed in a local 'urls.txt' file. The script attempts to execute OS commands on the target server to determine if it is running Linux or Windows, and checks for vulnerability by analyzing the command output. The repository also includes a README.md with background information and usage instructions, and a GPLv3 license file. The exploit is a proof-of-concept and requires the attacker to supply a list of target URLs. No hardcoded network endpoints are present; targets are read from 'urls.txt'. The main attack vector is network-based, leveraging HTTP requests to vulnerable web servers.

This repository contains a Python script (strustxp.py) that exploits the Apache Struts 2 vulnerability CVE-2017-5638, which allows for remote code execution via crafted Content-Type headers in HTTP requests. The script provides a shell-like interface, prompting the user for commands, which are then injected into the target server using a malicious OGNL payload. The exploit targets web applications running vulnerable versions of Apache Struts 2, specifically those exposing endpoints that accept multipart/form-data (commonly .action URLs). The script supports the use of an HTTP proxy for traffic routing. The README is minimal and only references the CVE and a Google dork for finding potential targets. The main exploit logic is contained in strustxp.py, which is the only code file in the repository.

This repository is an exploit toolkit for Apache Struts2 S2-045 (CVE-2017-5638), a critical remote code execution vulnerability. The project is structured as a Visual Studio C++ solution, likely providing a GUI tool to exploit the vulnerability. The main payload is a JSP webshell ('default.jsp') that supports a wide range of post-exploitation features, including command execution, file upload/download, file management, and database access. The webshell is compatible with the Chopper webshell client and uses the password 's2045@exp'. The README confirms support for both HTTP and HTTPS targets and arbitrary ports. The exploit is operational and provides persistent access to compromised servers. The repository is intended for educational and research purposes, as stated in the README.

This repository contains a Python exploit script (CVE-2017-5638.py) targeting the Apache Struts2 remote code execution vulnerability (CVE-2017-5638). The script reads a list of target URLs from a file provided as a command-line argument. For each target, it provides an interactive shell-like prompt, allowing the user to send arbitrary system commands to the vulnerable server. The exploit works by sending a specially crafted HTTP request with a malicious OGNL expression in the Content-Type header, triggering command execution on the server. The script is operational and provides real command execution capabilities, returning the output to the user. The README is minimal and only states the repository's purpose as a mass scanner for the vulnerability.

This repository provides operational exploit code for CVE-2017-5638 (Apache Struts 2 S2-045 remote code execution vulnerability). The exploit leverages OGNL injection via a crafted Content-Type header in HTTP requests to execute arbitrary system commands on vulnerable Struts 2 servers. The main exploit scripts are written in Python (cmd.py and poc_test.py), allowing interactive command execution on the target. Additional payloads for Windows are included: a VBScript (download.vbs) and a batch command (一条cmd远程下载.txt) to download and execute files (e.g., lcx.exe, ngrok.sh) from a remote server (121.42.56.8). The repository also contains lists of potential target URLs and action keywords for identifying vulnerable endpoints. Overall, the repository is structured to facilitate both exploitation and post-exploitation payload delivery, with a focus on Windows post-exploitation utilities.