The S2-001 vulnerability exploits how Struts 2 processes OGNL expressions when form validation fails. When users submit form data that fails validation, the backend uses the OGNL expression %{value} to parse and refill the submitted parameters. This allows attackers to inject malicious OGNL payloads for remote command execution. The vulnerability is commonly found in registration or login pages where the backend returns previously submitted data after validation failure. The exploit can be used to obtain Tomcat execution paths, web paths, and execute arbitrary commands using Java strings.
This vulnerability arises because when a user submits form data and validation fails, the backend parses the previously submitted parameter values using the OGNL expression %{value} and then refills them back into the corresponding form fields. For example, on a registration or login page, the backend typically returns the previously submitted data by default when submission fails. Since the backend evaluates the submitted data with the OGNL expression %{value}, an attacker can directly craft a payload to execute arbitrary commands.
Environment Setup
Run the following command to start the S2-001 test environment:
S2-001 Remote Code Execution Vulnerability
Principle
Reference: http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html
Environment Setup
Run the following command to start the S2-001 test environment:
POC & Exploit
Get the Tomcat execution path:
Get the web path:
Execute arbitrary commands (command with arguments: new java.lang.String[]{"cat","/etc/passwd"}):