Struts2 versions 2.0.0 to 2.3.15 are affected by a vulnerability where the DefaultActionMapper class allows OGNL expressions to be appended to navigation prefixes like 'action:', 'redirect:', and 'redirectAction:'. Without proper filtering, this enables arbitrary system command execution by visiting a URL such as http://your-ip:8080/index.action?redirect:OGNL_expression. Attackers can retrieve web directories, write webshells, and execute commands.
In Struts2, the DefaultActionMapper class supports "action:", "redirect:", and "redirectAction:" as navigation or redirect prefixes. However, these prefixes can be followed by OGNL expressions. Since Struts2 does not sanitize these prefixes, attackers can use OGNL expressions to invoke Java static methods and execute arbitrary system commands.
Therefore, visiting http://your-ip:8080/index.action?redirect:OGNL表达式 will execute the OGNL expression.
S2-016 Remote Code Execution Vulnerability
Affected versions: 2.0.0 - 2.3.15
Vulnerability details:
Test environment setup
Vulnerability reproduction
In Struts2, the DefaultActionMapper class supports "action:", "redirect:", and "redirectAction:" as navigation or redirect prefixes. However, these prefixes can be followed by OGNL expressions. Since Struts2 does not sanitize these prefixes, attackers can use OGNL expressions to invoke Java static methods and execute arbitrary system commands.
Therefore, visiting http://your-ip:8080/index.action?redirect:OGNL表达式 will execute the OGNL expression.
Execute command:
Get web directory:
Write webshell:
Execution result: