struts2_cve-2017-5638
by m3ssap0
A Java-based exploit tool for remotely executing commands on vulnerable Apache Struts 2 servers via the CVE-2017-5638 vulnerability.
This is a sort of Java porting of the Python exploit at: https://www.exploit-db.com/exploits/41570/.
Primary Use Case
This tool is designed for security engineers and application security professionals to test and exploit the remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638). It allows penetration testers and red teamers to verify if a target server is vulnerable by executing arbitrary commands remotely, aiding in security assessments and vulnerability validation.
- Java port of the original Python exploit for CVE-2017-5638
- No external dependencies required
- Supports remote command execution on vulnerable Apache Struts 2 servers
- Allows passing authentication cookies for authenticated requests
- Verbose mode for detailed output
- Simple CLI interface with help options
Installation
- Ensure Java Runtime Environment (JRE) is installed on your system
- Download the struts2_cve-2017-5638.jar file from the repository
- Run the tool using the command: java -jar struts2_cve-2017-5638.jar
Usage
>_ java -jar struts2_cve-2017-5638.jar --url "https://vuln1.foo.com/asd" --command ipconfigExecutes the 'ipconfig' command on the target URL to test for vulnerability.
>_ java -jar struts2_cve-2017-5638.jar --url "https://vuln2.foo.com/asd" --command ipconfig --cookies "JSESSIONID=qwerty0123456789"Executes the 'ipconfig' command on the target URL with authentication cookies.
>_ java -jar struts2_cve-2017-5638.jar --url "https://vuln3.foo.com/asd" --command dir --cookies "JSESSIONID=qwerty0123456789;foo=bar"Executes the 'dir' command on the target URL with multiple authentication cookies.
>_ java -jar struts2_cve-2017-5638.jar -hDisplays the help message with usage options.
- Integrate this tool into red team exercises to validate Apache Struts 2 vulnerability mitigations.
- Use in automated CI/CD security pipelines to detect vulnerable Struts 2 instances before deployment.
- Combine with network monitoring tools to detect exploitation attempts via anomalous Content-Type headers.
- Leverage verbose mode output for detailed forensic analysis during incident response drills.
- Chain with privilege escalation exploits for comprehensive post-exploitation scenario testing.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about struts2_cve-2017-5638. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
Awesome-Hacking
Hack-with-Github/Awesome-Hacking
A collection of various awesome lists for hackers, pentesters and security researchers
hackingtool
Z4nzu/hackingtool
ALL IN ONE Hacking Tool For Hackers
mitmproxy
mitmproxy/mitmproxy
An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
sqlmap
sqlmapproject/sqlmap
Automatic SQL injection and database takeover tool
metasploit-framework
rapid7/metasploit-framework
Metasploit Framework
h4cker
The-Art-of-Hacking/h4cker
This repository is maintained by Omar Santos (@santosomar) and includes thousands of resources related to ethical hacking, bug bounties, digital forensics and incident response (DFIR), AI security, vulnerability research, exploit development, reverse engineering, and more. 🔥 Also check: https://hackertraining.org