This document details the Struts2 S2-045 vulnerability affecting versions 2.3.5 to 2.3.31 and 2.5 to 2.5.10. It provides links to the official Apache advisory and other references. The vulnerability environment is set up using Struts2 2.3.30, accessible at http://your-ip:8080. Proof of concept involves sending a specific data packet to execute code, demonstrated by the successful execution of '233*233'.
S2-045 Remote Code Execution Vulnerability (CVE-2017-5638)
Affected versions: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
Vulnerability details:
Vulnerability environment
Run the following command to start Struts2 2.3.30:
Once the environment is up, visit http://your-ip:8080 to see the upload page.
Vulnerability reproduction
Send the following packet directly, and you will see 233*233 has been executed successfully: