id: struts-ognl-console info: name: Apache Struts - OGNL Console author: DhiyaneshDK severity: unknown description: | This development console allows the evaluation of OGNL expressions that could lead to Remote Command Execution remediation: Restrict access to the struts console on the production server reference: - https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/ApacheStrutsWebConsole.java classification: cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: apache product: struts shodan-query: html:"Struts Problem Report" tags: apache,struts,ognl,panel,misconfig http: - method: GET path: - '{{BaseURL}}/struts/webconsole.html?debug=console' matchers-condition: and matchers: - type: word part: body words: - 'Welcome to the OGNL console!' - type: status status: - 200 # digest: 490a00463044022024b5c243fae6480795adf107bc10a68f481b15a5a239304920c4abb2d4bd4078022045dc60a3f832e49e8850693feb4158c656e0f26d6b296ae1b0313a248eb8a015:922c64590222798bb761d5b6d8e72950