37 lines
1.2 KiB
YAML
37 lines
1.2 KiB
YAML
id: struts-ognl-console
|
|
|
|
info:
|
|
name: Apache Struts - OGNL Console
|
|
author: DhiyaneshDK
|
|
severity: unknown
|
|
description: |
|
|
This development console allows the evaluation of OGNL expressions that could lead to Remote Command Execution
|
|
remediation: Restrict access to the struts console on the production server
|
|
reference:
|
|
- https://github.com/PortSwigger/j2ee-scan/blob/master/src/main/java/burp/j2ee/issues/impl/ApacheStrutsWebConsole.java
|
|
classification:
|
|
cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
vendor: apache
|
|
product: struts
|
|
shodan-query: html:"Struts Problem Report"
|
|
tags: apache,struts,ognl,panel,misconfig
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- '{{BaseURL}}/struts/webconsole.html?debug=console'
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- 'Welcome to the OGNL console!'
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
# digest: 490a00463044022024b5c243fae6480795adf107bc10a68f481b15a5a239304920c4abb2d4bd4078022045dc60a3f832e49e8850693feb4158c656e0f26d6b296ae1b0313a248eb8a015:922c64590222798bb761d5b6d8e72950 |