3. The vulnerability
• Nike Zheng reported a Remote Code Execution vulnerability in Apache
Struts2 – CVE-2017-5638
• A bug in Jakarta's Multipart parser used by Apache Struts2 to achieve
remote code execution by sending a crafted Content-Type header in
the request.
• Apache Struts2 is a web framework based on the MVC design
paradigm.
4. GET /struts-app HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0)
Gecko/20100101 Firefox/51.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://127.0.0.1:8080/
Connection: close
Content-Type: multipart/form-data
7. parse method in org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest class
8.
9. findText > getDefaultMessage > TextParseUtil.translateVariables >
evaluate method which will evaluate the OGNL expression in the payload
OGNL – Object Graph Navigation Language