RCE via Apache Struts2 - Still out there.

Abhishek
2 min readFeb 27, 2020

--

Apache Struts2 was discovered years ago but still we can find instances of it around the internet.

I reported a few vulnerabilities to this website and so they gave me another website that they owned to see if i could find any vulnerabilities in them.

Within a few days i managed to find few Reflected XSS and CSRF issues. After reporting it to them they said that they were aware of the issues and are in the process of fixing it.

After looking here and there i didn't find anything valuable to report.

I knew that the web app was running java with the help of wappalyzer and so by doing bit of google-fu i found endpoints that were ending with .action

site:redacted.com filetype:action

If you find endpoints ending with .action, .do, .go that means that the website is running Struts2 and might be vulnerable. To exploit this we send a Content-Type header that has a specially crafted message.

Content-Type: %{#context[‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’].addHeader(‘Namehere’,4*4)}.multipart/form-data

Content-Type: .multipart/form-data~%{#context[“com.opensymphony.xwork2.dispatcher.HttpServletResponse”].addHeader(“Namehere”,4*4)}

These are the 2 headers, you can try both to check if the server performs the multiplication of the numbers or any other operation.

In my case the second one worked and it added a new header Abhishek: 16 which proves that the server is vulnerable.

This is enough to prove that RCE exists but for POC i used the below script to run commands and i had root access on the server.

I reported it quickly and they fixed it within couple of days. Hope you learned something, if you liked then please share.

Follow me on twitter — https://twitter.com/abhishekY495

Thank You.

--

--