CVE-2012-0394 PoC — Apache Struts ‘DebuggingInterceptor’组件代码注入漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2012/CVE-2012-0394.yaml

Associated Vulnerability

Title:Apache Struts ‘DebuggingInterceptor’组件代码注入漏洞 (CVE-2012-0394)
Description:Apache Struts是美国阿帕奇（Apache）软件基金会负责维护的一个开源项目，是一套用于创建企业级Java Web应用的开源MVC框架，主要提供两个版本框架产品，Struts 1和Struts 2。 Apache Struts2 2.3.1.1之前版本中的DebuggingInterceptor组件中存在漏洞。当使用开发模式时，远程攻击者可利用该漏洞借助未明向量执行任意命令。

Description

Apache Struts before 2.3.1.1 is susceptible to remote code execution. When developer mode is used in the DebuggingInterceptor component, a remote attacker can execute arbitrary OGNL commands via unspecified vectors, which can allow for execution of malware, obtaining sensitive information, modifying data, and/or gaining full control over a compromised system without entering necessary credentials.. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."

File Snapshot


 id: CVE-2012-0394

info:
  name: Apache Struts <2.3.1.1 - Remote Code Execution
  author: tess
  sev

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!