Apache Struts Version 3 is a tool to exploit 3 RCE vulnerabilities on ApacheStruts. Script contains the fusion of 3 vulnerabilities of type RCE on ApacheStruts, also has the ability to create server shell.
Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.
Below is a full list of all changes:
- unclosed instantiation of PrintWriter
- Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.
- NotSerializableException – org.apache.struts2.dispatcher.StrutsRequestWrapper
- NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using Executioner interceptor
- ClassCastException in JarEntryRevision
- Dependency Mapping Exception When Using PrefixBasedActionProxyFactory
- The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion is now deprecated. If this method is removed in some next release, it will forbid to describe a converter by the name (id) of a Spring bean.
- Conversion by annotation does not work
- List of Boolean is not populated in Action class
- JSONResult exception in struts2-json-plugin-2.5.14.1.jar
- buttons with name=”method:METHODNAME” sometimes ignore global-allowed-methods defined in struts.xml
- Could not create JarEntryRevision for [zip:C:/…. unknown protocol c
- NPE in I18nInterceptor$SessionLocaleHandler.read
- JasperReportResult: NPE When Not Using SQL Connection
- support JSR 303 Validation Groups in BeanValidation-Plugin
- Debug tag should not display anything when not in dev mode
- Allow using of Initializable interface on an implementation level
- Allowed methods inheritance
- Allow use Jackson XML bindings to serialise / deserialise XML
- when using an custom array as a filed in struts 2 action form textfiled data from jsp page in not populating into custom array but populating in String array or array list
- Upgrade Spring to version 4.3.13
- Update Log4j2 to 2.10.0
Also Read Remote Desktop Caching : Tool To Recover Old RDP
Apache Struts SHELL
php terminado
jsp proceso
CVE ADD
CVE-2013-2251 'action:', 'redirect:' and 'redirectAction'
CVE-2017-5638 Content-Type
CVE-2018-11776 'redirect:' and 'redirectAction'
Credit : Apache Software Foundation
