This document details the Apache Struts2 S2-032 remote code execution vulnerability, affecting versions 2.3.20 to 2.3.28 (excluding specific patches). It occurs when Dynamic Method Invocation is enabled, allowing the method:<name> syntax to evaluate OGNL expressions. The vulnerability can be exploited by sending a crafted URL to execute arbitrary commands like id. The document provides links for further details and instructions to set up a vulnerable environment using Struts2 2.3.28.
Run the following command to start struts2 2.3.28:
docker compose up -d
Once the environment is running, visit http://your-ip:8080 to see the default page.
Reproducing the Vulnerability
With Dynamic Method Invocation enabled, Struts2 allows you to use method:<name> to call the method named <name>. This method name will be evaluated as an OGNL expression, leading to a remote command execution vulnerability.
Send a request to the following URL to execute the id command:
S2-032: Remote Code Execution Vulnerability (CVE-2016-3081)
method:<name>syntax to evaluate OGNL expressions. The vulnerability can be exploited by sending a crafted URL to execute arbitrary commands likeid. The document provides links for further details and instructions to set up a vulnerable environment using Struts2 2.3.28.Affected versions: Struts 2.3.20 – Struts 2.3.28 (excluding 2.3.20.3 and 2.3.24.3)
Vulnerability details:
Vulnerable Environment
Run the following command to start struts2 2.3.28:
Once the environment is running, visit http://your-ip:8080 to see the default page.
Reproducing the Vulnerability
With Dynamic Method Invocation enabled, Struts2 allows you to use method:<name> to call the method named <name>. This method name will be evaluated as an OGNL expression, leading to a remote command execution vulnerability.
Send a request to the following URL to execute the id command: