This vulnerability affects Struts 2 versions 2.0.1 through 2.3.33 and 2.5 through 2.5.10. When using the Freemarker template engine, Struts2 allows OGNL expression parsing. User input is first parsed by Freemarker, then parsed again by OGNL, leading to arbitrary command execution. To reproduce, access the test environment at http://your-ip:8080/hello.action and submit a payload. Note that the payload must end with a newline character for successful execution.
Affected versions: Struts 2.0.1 through Struts 2.3.33, Struts 2.5 through Struts 2.5.10
Once the environment is running, visit http://your-ip:8080/hello.action to view the submission page.
Vulnerability Reproduction
When using the Freemarker template engine, Struts2 still parses OGNL expressions. User-supplied input is not parsed by OGNL directly — but after Freemarker processes it once, the result becomes a valid expression that OGNL then parses a second time, leading to an arbitrary command execution vulnerability.
Enter the following payload to successfully execute commands:
Note: Some users report being unable to reproduce the vulnerability. After testing, I found that the line break at the end of the payload above is required (a line break must follow the payload — the reason is unclear). Send the request again and it should work.
S2-053: Remote Code Execution Vulnerability
Affected versions: Struts 2.0.1 through Struts 2.3.33, Struts 2.5 through Struts 2.5.10
Vulnerability Details
Setting Up the Test Environment
Once the environment is running, visit http://your-ip:8080/hello.action to view the submission page.
Vulnerability Reproduction
When using the Freemarker template engine, Struts2 still parses OGNL expressions. User-supplied input is not parsed by OGNL directly — but after Freemarker processes it once, the result becomes a valid expression that OGNL then parses a second time, leading to an arbitrary command execution vulnerability.
Enter the following payload to successfully execute commands:
Note: Some users report being unable to reproduce the vulnerability. After testing, I found that the line break at the end of the payload above is required (a line break must follow the payload — the reason is unclear). Send the request again and it should work.