Apache Struts Version 3 : Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts

Apache Struts Version 3 is a tool to exploit 3 RCE vulnerabilities on ApacheStruts. Script contains the fusion of 3 vulnerabilities of type RCE on ApacheStruts, also has the ability to create server shell.

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.

Below is a full list of all changes:

  • unclosed instantiation of PrintWriter
  • Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.
  • NotSerializableException – org.apache.struts2.dispatcher.StrutsRequestWrapper
  • NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using Executioner interceptor
  • ClassCastException in JarEntryRevision
  • Dependency Mapping Exception When Using PrefixBasedActionProxyFactory
  • The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion is now deprecated. If this method is removed in some next release, it will forbid to describe a converter by the name (id) of a Spring bean.
  • Conversion by annotation does not work
  • List of Boolean is not populated in Action class
  • JSONResult exception in struts2-json-plugin-2.5.14.1.jar
  • buttons with name=”method:METHODNAME” sometimes ignore global-allowed-methods defined in struts.xml
  • Could not create JarEntryRevision for [zip:C:/…. unknown protocol c
  • NPE in I18nInterceptor$SessionLocaleHandler.read
  • JasperReportResult: NPE When Not Using SQL Connection
  • support JSR 303 Validation Groups in BeanValidation-Plugin
  • Debug tag should not display anything when not in dev mode
  • Allow using of Initializable interface on an implementation level
  • Allowed methods inheritance
  • Allow use Jackson XML bindings to serialise / deserialise XML
  • when using an custom array as a filed in struts 2 action form textfiled data from jsp page in not populating into custom array but populating in String array or array list
  • Upgrade Spring to version 4.3.13
  • Update Log4j2 to 2.10.0

Also Read Remote Desktop Caching : Tool To Recover Old RDP

Apache Struts SHELL

php terminado
jsp proceso

CVE ADD

CVE-2013-2251 'action:', 'redirect:' and 'redirectAction'
CVE-2017-5638 Content-Type
CVE-2018-11776 'redirect:' and 'redirectAction'

Credit : Apache Software Foundation

R K

Share
Published by
R K
Tags: ApacheApacheStrutsRCE vulnerabilities
6 years ago

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

1 day ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

1 day ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

1 day ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

1 day ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

1 day ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

2 days ago