cbcvebase.
CVE-2016-3081
published 2016-04-26

CVE-2016-3081: Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute…

PriorityP181high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
94.16%
99.8th percentile
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Affected

57 ranges· showing 25
VendorProductVersion rangeFixed in
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts

Detection & IOCsextracted from sources · hover to see the quote

urlGET /index.action?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=cat%20/etc/passwd HTTP/1.1
path/blank-struts2/login.action
port8080
commandmethod: prefix OGNL chained expression RCE payload via ?method:%23_memberAccess
sigma
regex: root:.*:0:0:
  • Detect exploitation attempts by monitoring HTTP requests containing 'method:' prefix in the URI query string, particularly with OGNL expressions such as '%23_memberAccess' or '@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS'.
  • Use Shodan/FOFA queries to identify exposed Apache Struts instances: search for 'http.html:"apache struts"', 'http.title:"struts2 showcase"', 'http.html:"struts problem report"', 'body="struts problem report"', 'title="struts2 showcase"', or Google dork 'intitle:"struts2 showcase"'.
  • Exploitation involves chained OGNL expressions passed via the 'method:' prefix in the action URL. Monitor for URL-encoded OGNL tokens such as '%23', '@java.lang.Runtime@getRuntime().exec', and '@org.apache.struts2.ServletActionContext@getResponse()' in HTTP request URIs.
  • The Metasploit module uses a canary-based check: it injects an arithmetic expression via OGNL and looks for the computed sum wrapped in a random flag string in the HTTP 200 response body. Detect this pattern in responses or WAF logs.
  • Post-exploitation, the Metasploit module uploads a binary payload to /tmp/ and executes it via '/bin/sh -c'. Monitor for unexpected file creation in /tmp/ followed by chmod and shell execution on Struts application servers.
  • ·The vulnerability is only exploitable when Dynamic Method Invocation (DMI) is explicitly enabled in the Struts 2 configuration. Installations with DMI disabled are not affected.
  • ·Affected versions are Apache Struts 2.3.19–2.3.20.2, 2.3.21–2.3.24.1, and 2.3.25–2.3.28. Versions 2.3.20.2 and 2.3.24.2 are explicitly excluded from the vulnerable range in the Metasploit module.
  • ·The Metasploit module targets Linux x86 only (linux/x86/meterpreter/reverse_tcp_uuid payload). Exploitation on other platforms may require different staging.
  • ·If the application's home directory is not writable, the TMPPATH option must be overridden to a writable path for the file upload stage of exploitation to succeed.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.