Apache Struts Version 3 : Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts

Apache Struts Version 3 is a tool to exploit 3 RCE vulnerabilities on ApacheStruts. Script contains the fusion of 3 vulnerabilities of type RCE on ApacheStruts, also has the ability to create server shell.

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.

Below is a full list of all changes:

  • unclosed instantiation of PrintWriter
  • Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.
  • NotSerializableException – org.apache.struts2.dispatcher.StrutsRequestWrapper
  • NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using Executioner interceptor
  • ClassCastException in JarEntryRevision
  • Dependency Mapping Exception When Using PrefixBasedActionProxyFactory
  • The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion is now deprecated. If this method is removed in some next release, it will forbid to describe a converter by the name (id) of a Spring bean.
  • Conversion by annotation does not work
  • List of Boolean is not populated in Action class
  • JSONResult exception in struts2-json-plugin-2.5.14.1.jar
  • buttons with name=”method:METHODNAME” sometimes ignore global-allowed-methods defined in struts.xml
  • Could not create JarEntryRevision for [zip:C:/…. unknown protocol c
  • NPE in I18nInterceptor$SessionLocaleHandler.read
  • JasperReportResult: NPE When Not Using SQL Connection
  • support JSR 303 Validation Groups in BeanValidation-Plugin
  • Debug tag should not display anything when not in dev mode
  • Allow using of Initializable interface on an implementation level
  • Allowed methods inheritance
  • Allow use Jackson XML bindings to serialise / deserialise XML
  • when using an custom array as a filed in struts 2 action form textfiled data from jsp page in not populating into custom array but populating in String array or array list
  • Upgrade Spring to version 4.3.13
  • Update Log4j2 to 2.10.0

Also Read Remote Desktop Caching : Tool To Recover Old RDP

Apache Struts SHELL

php terminado
jsp proceso

CVE ADD

CVE-2013-2251 'action:', 'redirect:' and 'redirectAction'
CVE-2017-5638 Content-Type
CVE-2018-11776 'redirect:' and 'redirectAction'

Credit : Apache Software Foundation

R K

Share
Published by
R K
Tags: ApacheApacheStrutsRCE vulnerabilities
8 years ago

Recent Posts

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

4 days ago

Best Linux Distros in 2026

Linux is renowned for its versatility, open-source nature, and security. Whether you're a beginner, developer,…

4 days ago

Top 10 Cyber Insurance Companies in 2026

Cyber insurance helps businesses and individuals mitigate financial losses from data breaches, ransomware, extortion, legal…

4 days ago

Ransomware Incident Response

Ransomware is one of the most dangerous and destructive forms of cybercrime today. With cybercriminals…

4 days ago

Best Social Media Search Engines and Tools for 2026

Social media is a key part of our daily lives, with millions of users sharing…

4 days ago

How to Remove Your Personal Information from Data Broker Websites (2026 Guide)

What Are Data Brokers? Data brokers are companies that collect, aggregate, and sell personal information,…

4 days ago