Struts2 is a good thing
Disclaimer: * The tools in the article are for personal testing and research. Please delete them within 24 hours after downloading. Do not use them for commercial or illegal purposes.
Apache Struts 2 is exposed to remote command execution vulnerability, vulnerability number S2-045, CVE number CVE-2017-5638. When using the file upload function based on Jakarta plugin, there may be remote command execution, resulting in system hacking and vulnerability rating. For: high risk.
Vulnerability Details: A malicious user can trigger the vulnerability and execute system commands by modifying the Content-Type value in the HTTP request header when uploading the file.
Risk level: high risk.
Vulnerability risk: Hackers can implement remote command execution by exploiting vulnerabilities.
Impact version: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10.
Security version: Struts 2.3.32 or 22.214.171.124.
Fix suggestions: If you are using the Jakarta file upload plugin, please upgrade Struts to the secure version.
POC download address: https://github.com/tengzhangchao/Struts2_045-Poc
[struts2-052 vulnerability] (http://thief.one/2017/09/06/1)
[struts2-046 vulnerability] (http://thief.one/2017/03/21/Struts2-046%E6%BC%8F%E6%B4%9E/)
[struts2_045 vulnerability] (http://thief.one/2017/03/07/Struts2-045%E6%BC%8F%E6%B4%9E/)
[struts2 vulnerability poc summary] (http://thief.one/2017/03/13/Struts2%E6%BC%8F%E6%B4%9EPOC%E6%B1%87%E6%80%BB/)