From 4bffd26c0b7d90e38cd4fa606a77c3930a1bcac4 Mon Sep 17 00:00:00 2001
From: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 22 Mar 2017 00:28:01 +0000
Subject: [PATCH] Adds support for user-selectable HTTP method. Closes #759

---
 CHANGELOG                          | 4 ++--
 scripts/http-vuln-cve2017-5638.nse | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index dfd9142d2..53a98bfe9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -19,8 +19,8 @@ o [Ncat][GH#157] Ncat will now continue trying to connect to each resolved
 o [NSE][GH#743] New script broadcast-ospf2-discover discovers OSPF 2 routers
   and neighbors. OSPFv2 authentication is supported. [Emiliano Ticci]
 
-o [NSE][GH#740] New script http-vuln-cve2017-5638 checks for the RCE bug in
-  Apache Struts. [Seth Jackson]
+o [NSE][GH#740][GH#759] New script http-vuln-cve2017-5638 checks for the RCE
+  bug in Apache Struts2. [Seth Jackson]
 
 o [NSE] Added several commands to redis-info to extract listening addresses,
   connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
diff --git a/scripts/http-vuln-cve2017-5638.nse b/scripts/http-vuln-cve2017-5638.nse
index 4d9cb1092..d1b4a9a3c 100644
--- a/scripts/http-vuln-cve2017-5638.nse
+++ b/scripts/http-vuln-cve2017-5638.nse
@@ -28,6 +28,7 @@ local string = require "string"
 -- |       https://cwiki.apache.org/confluence/display/WW/S2-045
 -- |_      http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
 --
+-- @args http-vuln-cve2017-5638.method The HTTP method for the request. The default method is "GET".
 -- @args http-vuln-cve2017-5638.path The URL path to request. The default path is "/".
 
 author = "Seth Jackson"
@@ -58,6 +59,7 @@ vulnerability via the Content-Type header.
 
     local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
 
+    local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET"
     local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
     local value = stdnse.generate_random_string(8)
 
@@ -65,7 +67,7 @@ vulnerability via the Content-Type header.
         ["Content-Type"] = string.format("%%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Check-Struts', '%s')}.multipart/form-data", value)
     }
 
-    local response = http.post(host, port, path, { header = header })
+    local response = http.generic_request(host, port, method, path, { header = header })
 
     if response and response.status == 200 and response.header["x-check-struts"] == value then
         vuln.state = vulns.STATE.VULN