Apache Struts2 versions 2.0.0 to 2.3.32 are affected by a vulnerability (S2-048). The issue can be exploited in the showcase application by entering an OGNL expression in the 'Gangster Name' form field on the Integration/Struts 1 Integration page. A proof-of-concept using ${233*233} demonstrates expression execution. A sandbox bypass method from S2-045 was adapted to create a working exploit that provides command execution results directly in the response. The S2-045 exploit can also be used with Burp.
For the underlying principles, refer to the reference documents. Here we'll only cover the current environment.
This environment uses the showcase app from struts-2.3.32 downloaded directly and deployed under tomcat-8.5. Once the environment is up, visithttp://your-ip:8080/showcase/ to see the Struts2 test page.
Navigate to Integration/Struts 1 Integration:
The OGNL expression is triggered via theGangster Name form field.
Enter${233*233} to see the execution result (the other two form fields can be filled in arbitrarily):
Borrowing the sandbox bypass technique from S2-045, I modified a POC. Paste the following POC into theGengster Name form field, submit it, and the command execution result will be echoed back directly:
S2-048 Remote Code Execution Vulnerability
${233*233}demonstrates expression execution. A sandbox bypass method from S2-045 was adapted to create a working exploit that provides command execution results directly in the response. The S2-045 exploit can also be used with Burp.Affected versions: 2.0.0 – 2.3.32
Vulnerability details:
Setting up the test environment
Reproducing the vulnerability
For the underlying principles, refer to the reference documents. Here we'll only cover the current environment.
This environment uses the showcase app from struts-2.3.32 downloaded directly and deployed under tomcat-8.5. Once the environment is up, visithttp://your-ip:8080/showcase/ to see the Struts2 test page.
Navigate to Integration/Struts 1 Integration:
The OGNL expression is triggered via theGangster Name form field.
Enter${233*233} to see the execution result (the other two form fields can be filled in arbitrarily):
Borrowing the sandbox bypass technique from S2-045, I modified a POC. Paste the following POC into theGengster Name form field, submit it, and the command execution result will be echoed back directly:
Of course, you can also use the S2-045 POC directly (you'll need to test it in Burp):