AnsweredAssumed Answered

Apache Struts2 OGNL injection(CVE-2017-5638) module can't exploit.

Question asked by iwama yu on Apr 5, 2017

Hi, I am testing Apache Struts Jakarta Multipart Parser OGNL Injection(CVE-2017-5638,S02-045,S02-046) by using Metasploit module, but can not exploit.


# Setting options for module
msf exploit(struts2_content_type_ognl) > show options
Module options (exploit/multi/http/struts2_content_type_ognl):

   Name           Current Setting                 Required  Description
   ----           ---------------                 --------  -----------
   DynamicStager  true                            no        Use Dynamic C-Stager if applicable (AV evasion)
   Proxies                                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT          8080                            yes       The target port (TCP)
   SSL            false                           no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /struts2-showcase/index.action  yes       The path to a struts application action
   VHOST                                          no        HTTP server virtual host

Payload options (cmd/unix/generic):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   CMD   whoami           yes       The command string to execute


So, I tested same target site by using the following PoC Code( and confirmed can to exploit.


PoC Code can to exploit but metasploit module can not to exploit to same target site, why?

I investigate the cause of can not to exploit and I found to two point.


Firstly I compared the metasploit module source code with the PoC code,I was not found the following line to the metasploit module.



Secondary The HTTP Request that metasploit module send exists two Content-type header.


What I did wrong?