Back to search

Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution

This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code Execution can be performed when using REST Plugin with ! operator when Dynamic Method Invocation is enabled.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

Download Now

Module Name

exploit/multi/http/struts_dmi_rest_exec

Authors

Nixawk

References

Targets

Windows Universal
Linux Universal
Java Universal

Platforms

java
linux
windows

Architectures

x86
java

Reliability

Excellent

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


      msf > use exploit/multi/http/struts_dmi_rest_exec
      msf exploit(struts_dmi_rest_exec) > show targets
            ...targets...
      msf exploit(struts_dmi_rest_exec) > set TARGET <target-id>
      msf exploit(struts_dmi_rest_exec) > show options
            ...show and set options...
      msf exploit(struts_dmi_rest_exec) > exploit

Related Vulnerabilities

Apache Struts: S2-033 (CVE-2016-3087): Security updates available for Apache Struts

Vulnerability & Exploit Database