Apache Struts Version 3 : Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts

Apache Struts Version 3 is a tool to exploit 3 RCE vulnerabilities on ApacheStruts. Script contains the fusion of 3 vulnerabilities of type RCE on ApacheStruts, also has the ability to create server shell.

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.

Below is a full list of all changes:

  • unclosed instantiation of PrintWriter
  • Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.
  • NotSerializableException – org.apache.struts2.dispatcher.StrutsRequestWrapper
  • NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using Executioner interceptor
  • ClassCastException in JarEntryRevision
  • Dependency Mapping Exception When Using PrefixBasedActionProxyFactory
  • The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion is now deprecated. If this method is removed in some next release, it will forbid to describe a converter by the name (id) of a Spring bean.
  • Conversion by annotation does not work
  • List of Boolean is not populated in Action class
  • JSONResult exception in struts2-json-plugin-2.5.14.1.jar
  • buttons with name=”method:METHODNAME” sometimes ignore global-allowed-methods defined in struts.xml
  • Could not create JarEntryRevision for [zip:C:/…. unknown protocol c
  • NPE in I18nInterceptor$SessionLocaleHandler.read
  • JasperReportResult: NPE When Not Using SQL Connection
  • support JSR 303 Validation Groups in BeanValidation-Plugin
  • Debug tag should not display anything when not in dev mode
  • Allow using of Initializable interface on an implementation level
  • Allowed methods inheritance
  • Allow use Jackson XML bindings to serialise / deserialise XML
  • when using an custom array as a filed in struts 2 action form textfiled data from jsp page in not populating into custom array but populating in String array or array list
  • Upgrade Spring to version 4.3.13
  • Update Log4j2 to 2.10.0

Also Read Remote Desktop Caching : Tool To Recover Old RDP

Apache Struts SHELL

php terminado
jsp proceso

CVE ADD

CVE-2013-2251 'action:', 'redirect:' and 'redirectAction'
CVE-2017-5638 Content-Type
CVE-2018-11776 'redirect:' and 'redirectAction'

Credit : Apache Software Foundation

R K

Share
Published by
R K
Tags: ApacheApacheStrutsRCE vulnerabilities
7 years ago

Recent Posts

Website OSINT: Tools and Techniques for Reconnaissance

Introduction When it comes to cybersecurity and ethical hacking, one of the most effective ways…

8 hours ago

Top OSINT Tools to Find Emails, Usernames and Passwords

Introduction In the world of cybersecurity, knowledge is power. One of the most powerful skillsets…

22 hours ago

Google Dorking in Cybersecurity: A Complete Guide

Introduction In the vast ocean of the internet, the most powerful tool you already have…

1 day ago

Pystinger : Bypass Firewall For Traffic Forwarding Using Webshell

Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…

2 weeks ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

2 weeks ago

CVE-Search : A Tool To Perform Local Searches For Known Vulnerabilities

Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…

2 weeks ago