XSS.CX Home | Commentary | XSS Filter Evasion

CVE-2017-5638, annualcreditreport.com, Unpatched, PoC, Example

TL;DR The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as shown below.

Comment: 72 hours after this Bug was published, annualcreditreport.com still hadn't patched.

Sample Date: March, 10, 2016
Target URL High Medium Low Info
annualcreditreport.com1000
CVE-2017-5638, annualcreditreport.com, Exploit, PoC, Example, dmesg CVE-2017-5638, annualcreditreport.com, Exploit, PoC, Example, curl CVE-2017-5638, annualcreditreport.com, Exploit, PoC, Example, /etc/passwd CVE-2017-5638, annualcreditreport.com, Exploit, PoC, Example, WAR File Deployment CVE-2017-5638, annualcreditreport.com, Exploit, PoC, Example, ps -aux listing CVE-2017-5638, annualcreditreport.com, Exploit, PoC, Example, arp -a listing CVE-2017-5638, annualcreditreport.com, Exploit, PoC, Example, apache access_log listing
Alert Detail Click here to hide all alerts
Hide the alert
Confirmed ExploitCVE-2017-5638
Description
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.
URL https://www.annualcreditreport.com/
Injection Type Content-Type: Header
Other information Verified Exploit Report