Apache Struts Version 3 : Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts

Apache Struts Version 3 is a tool to exploit 3 RCE vulnerabilities on ApacheStruts. Script contains the fusion of 3 vulnerabilities of type RCE on ApacheStruts, also has the ability to create server shell.

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.

Below is a full list of all changes:

  • unclosed instantiation of PrintWriter
  • Http Sessions forcefully created for all requests using I18nInterceptor with default Storage value.
  • NotSerializableException – org.apache.struts2.dispatcher.StrutsRequestWrapper
  • NotSerializableException: com.opensymphony.xwork2.inject.ContainerImpl$ConstructorInjector when using Executioner interceptor
  • ClassCastException in JarEntryRevision
  • Dependency Mapping Exception When Using PrefixBasedActionProxyFactory
  • The converter() method of com.opensymphony.xwork2.conversion.annotations.TypeConversion is now deprecated. If this method is removed in some next release, it will forbid to describe a converter by the name (id) of a Spring bean.
  • Conversion by annotation does not work
  • List of Boolean is not populated in Action class
  • JSONResult exception in struts2-json-plugin-2.5.14.1.jar
  • buttons with name=”method:METHODNAME” sometimes ignore global-allowed-methods defined in struts.xml
  • Could not create JarEntryRevision for [zip:C:/…. unknown protocol c
  • NPE in I18nInterceptor$SessionLocaleHandler.read
  • JasperReportResult: NPE When Not Using SQL Connection
  • support JSR 303 Validation Groups in BeanValidation-Plugin
  • Debug tag should not display anything when not in dev mode
  • Allow using of Initializable interface on an implementation level
  • Allowed methods inheritance
  • Allow use Jackson XML bindings to serialise / deserialise XML
  • when using an custom array as a filed in struts 2 action form textfiled data from jsp page in not populating into custom array but populating in String array or array list
  • Upgrade Spring to version 4.3.13
  • Update Log4j2 to 2.10.0

Also Read Remote Desktop Caching : Tool To Recover Old RDP

Apache Struts SHELL

php terminado
jsp proceso

CVE ADD

CVE-2013-2251 'action:', 'redirect:' and 'redirectAction'
CVE-2017-5638 Content-Type
CVE-2018-11776 'redirect:' and 'redirectAction'

Credit : Apache Software Foundation

R K

Share
Published by
R K
Tags: ApacheApacheStrutsRCE vulnerabilities
7 years ago

Recent Posts

Playwright-MCP : A Powerful Tool For Browser Automation

Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…

2 hours ago

JBDev : A Tool For Jailbreak And TrollStore Development

JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…

23 hours ago

Kereva LLM Code Scanner : A Revolutionary Tool For Python Applications Using LLMs

The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…

1 day ago

Nuclei-Templates-Labs : A Hands-On Security Testing Playground

Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…

1 day ago

SSH-Stealer : The Stealthy Threat Of Advanced Credential Theft

SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…

1 day ago

ollvm-unflattener : A Tool For Reversing Control Flow Flattening In OLLVM

Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…

1 day ago