CVE-2014-0094 PoC — Apache Struts 安全漏洞

Source

https://github.com/y0d3n/CVE-2014-0094

Associated Vulnerability

Title:Apache Struts 安全漏洞 (CVE-2014-0094)
Description:The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.

Readme

# CVE-2014-0094

検証用。

<https://piyolog.hatenadiary.jp/entry/20140417/1397750197> を参考に、

- vulhub/java:7u55-jdk
- tomcat-8.0.5
- struts-2.3.16

を再現。classLoaderは動いてるけど、肝心のログがパーセントエンコードされちゃってるのでRCEまでつながらない ><

---

windowsバージョンも追加(7u191だけど・・・)。  
これもだめなので、tomcatが原因かな・・？

File Snapshot


 [4.0K]  /data/pocs/6c2401db48e934b1f8d37775567291971eb12bd4
├── [ 136]  docker-compose.yml
├── [ 976]  Dockerfile
├── [ 874]  Dockerfile_win
└── [ 441]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!