Struts2 S2-012 vulnerability affects versions 2.1.0 to 2.3.13. It occurs when using redirect type results with ${param_name} as redirect variables in Action configuration. During redirect, Struts2 evaluates OGNL expressions in the parameter value, allowing arbitrary command execution. The exploit is straightforward as there is no sandbox or character restrictions, similar to S2-001.
Here, a name variable is defined in UserAction. When a redirect-type response is triggered, Struts2 retrieves its value using ${name}. During this process, the value of the name parameter undergoes OGNL expression parsing, which allows arbitrary OGNL expressions to be injected, leading to command execution.
Exploit
You can directly pull the echo POC from s2-001, since there is no sandbox here and no restrictions on any special characters — why would there be?
S2-012: A Remote Code Execution Vulnerability
Affected versions: 2.1.0 - 2.3.13
Vulnerability details: http://struts.apache.org/docs/s2-012.html
Test environment setup
How it works
When configuring a Result with a redirect type in an Action, and using ${param_name} as the redirect variable, for example:
Here, a name variable is defined in UserAction. When a redirect-type response is triggered, Struts2 retrieves its value using ${name}. During this process, the value of the name parameter undergoes OGNL expression parsing, which allows arbitrary OGNL expressions to be injected, leading to command execution.
Exploit
You can directly pull the echo POC from s2-001, since there is no sandbox here and no restrictions on any special characters — why would there be?
Send the request and execute the command: