Detection payload for the new Struts REST vulnerability (CVE-2017-9805)


I built a new payload useful for the detection of the presence of the new Struts REST vulnerability (CVE-2017-9805). It is a modification of the Metasploit one that uses TemplateImpl to execute a native Thread.Sleep(10000) (thanks frohoff ysoserial).

This modification provides a comfortable detection method. It is sufficient to execute the following payload against the target server. If the target is vulnerable, it will answer after 10 seconds!

It is also possible to use the Metasploit payload to execute a ping request toward a domain for which you are authoritative (obviously sniffing on the DNS authoritative server), but if there is a firewall on/in front of the target server it may filter DNS and ICMP traffic and consequently block this detection method. With a sleep payload, the detection is much more reliable.

Here is the detection payload: