### [CVE-2018-11776](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Struts&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Remote%20Code%20Execution&color=brighgreen)

### Description

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

### POC

#### Reference
- http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://cwiki.apache.org/confluence/display/WW/S2-057
- https://cwiki.apache.org/confluence/display/WW/S2-057
- https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
- https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
- https://www.exploit-db.com/exploits/45260/
- https://www.exploit-db.com/exploits/45260/
- https://www.exploit-db.com/exploits/45262/
- https://www.exploit-db.com/exploits/45262/
- https://www.exploit-db.com/exploits/45367/
- https://www.exploit-db.com/exploits/45367/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

#### Github
- https://github.com/0day666/Vulnerability-verification
- https://github.com/0x0d3ad/Kn0ck
- https://github.com/0xT11/CVE-POC
- https://github.com/0xh4di/PayloadsAllTheThings
- https://github.com/1o24er/RedTeam
- https://github.com/20142995/Goby
- https://github.com/20142995/pocsuite3
- https://github.com/20142995/sectool
- https://github.com/3llio0T/Active-
- https://github.com/3vikram/Application-Vulnerabilities-Payloads
- https://github.com/649/Apache-Struts-Shodan-Exploit
- https://github.com/84KaliPleXon3/Payloads_All_The_Things
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Al1ex/Red-Team
- https://github.com/Apri1y/Red-Team-links
- https://github.com/ArunBhandarii/Apache-Struts-0Day-Exploit
- https://github.com/BitTheByte/Domainker
- https://github.com/BitTheByte/Eagle
- https://github.com/CTF-Archives/Puff-Pastry
- https://github.com/CVEDB/PoC-List
- https://github.com/CVEDB/awesome-cve-repo
- https://github.com/CVEDB/top
- https://github.com/CrackerCat/myhktools
- https://github.com/Delishsploits/PayloadsAndMethodology
- https://github.com/Echocipher/Resource-list
- https://github.com/Ekultek/Strutter
- https://github.com/Elsfa7-110/kenzer-templates
- https://github.com/Firebasky/CodeqlLearn
- https://github.com/Fnzer0/S2-057-poc
- https://github.com/GhostTroops/TOP
- https://github.com/GhostTroops/myhktools
- https://github.com/GuynnR/Payloads
- https://github.com/HimmelAward/Goby_POC
- https://github.com/HxDDD/CVE-PoC
- https://github.com/IkerSaint/VULNAPP-vulnerable-app
- https://github.com/Ivan1ee/struts2-057-exp
- https://github.com/JERRY123S/all-poc
- https://github.com/LightC0der/Apache-Struts-0Day-Exploit
- https://github.com/Muhammd/Awesome-Payloads
- https://github.com/Nieuport/PayloadsAllTheThings
- https://github.com/Ondrik8/RED-Team
- https://github.com/Ostorlab/KEV
- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
- https://github.com/OzNetNerd/apche-struts-vuln-demo-cve-2018-11776
- https://github.com/PEAKWEI/WsylibBookRS
- https://github.com/Pav-ksd-pl/PayloadsAllTheThings
- https://github.com/Prodject/Kn0ck
- https://github.com/Ra7mo0on/PayloadsAllTheThings
- https://github.com/SexyBeast233/SecBooks
- https://github.com/Soundaryakambhampati/test-6
- https://github.com/Steven1ay/S2-057
- https://github.com/SummerSec/learning-codeql
- https://github.com/Threekiii/Awesome-POC
- https://github.com/Threekiii/Vulhub-Reproduce
- https://github.com/XPR1M3/Payloads_All_The_Things
- https://github.com/Z0fhack/Goby_POC
- https://github.com/Zero094/Vulnerability-verification
- https://github.com/albinowax/ActiveScanPlusPlus
- https://github.com/alex14324/Eagel
- https://github.com/alex14324/mitaka
- https://github.com/alphaSeclab/sec-daily-2019
- https://github.com/andrysec/PayloadsAllVulnerability
- https://github.com/anhtu97/PayloadAllEverything
- https://github.com/anquanscan/sec-tools
- https://github.com/apkadmin/PayLoadsAll
- https://github.com/ax1sX/Automation-in-Java-Security
- https://github.com/ax1sX/Codeql-In-Java-Security
- https://github.com/bakery312/Vulhub-Reproduce
- https://github.com/bhdresh/CVE-2018-11776
- https://github.com/brianwrf/S2-057-CVE-2018-11776
- https://github.com/byteofandri/CVE-2021-26084
- https://github.com/byteofjoshua/CVE-2021-26084
- https://github.com/chanchalpatra/payload
- https://github.com/cucadili/CVE-2018-11776
- https://github.com/cved-sources/cve-2018-11776
- https://github.com/cyberanand1337x/apache-exploit-old
- https://github.com/cyberanand1337x/bug-bounty-2022
- https://github.com/djschleen/ash
- https://github.com/dk47os3r/hongduiziliao
- https://github.com/do0dl3/myhktools
- https://github.com/eescanilla/Apache-Struts-v3
- https://github.com/falocab/PayloadsAllTheThings
- https://github.com/foreseeti/securicad-enterprise-sdk
- https://github.com/foreseeti/securicad-vanguard-sdk
- https://github.com/freshdemo/ApacheStruts-CVE-2018-11776
- https://github.com/gh0st27/Struts2Scanner
- https://github.com/github/securitylab
- https://github.com/habybobica12/apache
- https://github.com/hasee2018/Safety-net-information
- https://github.com/hellochunqiu/PayloadsAllTheThings
- https://github.com/hktalent/TOP
- https://github.com/hktalent/myhktools
- https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
- https://github.com/hudunkey/Red-Team-links
- https://github.com/hwiwonl/dayone
- https://github.com/hyeonql/WHS
- https://github.com/hyeonql/WHS_Struts2-S2-059-
- https://github.com/ice0bear14h/struts2scan
- https://github.com/iflody/codeql-workshop
- https://github.com/iqrok/myhktools
- https://github.com/jas502n/St2-057
- https://github.com/jbmihoub/all-poc
- https://github.com/jiguangsdf/CVE-2018-11776
- https://github.com/john-80/-007
- https://github.com/khodges42/Etrata
- https://github.com/khulnasoft-lab/SecurityLab
- https://github.com/khulnasoft-lab/vulnmap-ls
- https://github.com/khulnasoft/khulnasoft-ls
- https://github.com/knqyf263/CVE-2018-11776
- https://github.com/koutto/jok3r-pocs
- https://github.com/ksw9722/PayloadsAllTheThings
- https://github.com/landscape2024/RedTeam
- https://github.com/likescam/Apache-Struts-v3
- https://github.com/lnick2023/nicenice
- https://github.com/lp008/Hack-readme
- https://github.com/mazen160/struts-pwn_CVE-2018-11776
- https://github.com/mrhacker51/ReverseShellCommands
- https://github.com/murataydemir/CVE-2022-26134
- https://github.com/nevidimk0/PayloadsAllTheThings
- https://github.com/ninoseki/mitaka
- https://github.com/nobiusmallyu/kehai
- https://github.com/oneplus-x/Sn1per
- https://github.com/oneplus-x/jok3r
- https://github.com/orangmuda/CVE-2021-26084
- https://github.com/ozkanbilge/Apache-Struts
- https://github.com/pctF/vulnerable-app
- https://github.com/qazbnm456/awesome-cve-poc
- https://github.com/rahulr311295/strut
- https://github.com/ranjan-prp/PayloadsAllTheThings
- https://github.com/raoufmaklouf/cve5scan
- https://github.com/ravijainpro/payloads_xss
- https://github.com/reanimat0r/2018-11776playground
- https://github.com/s1kr10s/Apache-Struts-v4
- https://github.com/safe6Sec/CodeqlNote
- https://github.com/sanyaade-teachings/securicad-enterprise-sdk
- https://github.com/sanyaade-teachings/securicad-vanguard-sdk
- https://github.com/savenas/InfoSec
- https://github.com/shunyeka/DSSC-Vulnerabilities-report
- https://github.com/slimdaddy/RedTeam
- https://github.com/snyk/snyk-ls
- https://github.com/sobinge/--1
- https://github.com/sobinge/PayloadsAllTheThings
- https://github.com/sobinge/PayloadsAllThesobinge
- https://github.com/sonpt-afk/CVE-2018-11776-FIS
- https://github.com/sourcery-ai-bot/Deep-Security-Reports
- https://github.com/svbjdbk123/-
- https://github.com/swapravo/cvesploit
- https://github.com/tdcoming/Vulnerability-engine
- https://github.com/techgyu/WHS
- https://github.com/touchmycrazyredhat/myhktools
- https://github.com/trbpnd/2018-11776playground
- https://github.com/trbpnd/CVE-2018-11776
- https://github.com/trhacknon/myhktools
- https://github.com/tsheth/Cloud-One-Container-Image-Security-Demo
- https://github.com/tsheth/DSSC-Vulnerability-report
- https://github.com/tuxotron/cve-2018-11776-docker
- https://github.com/twensoo/PersistentThreat
- https://github.com/unusualwork/Sn1per
- https://github.com/we1h0/awesome-java-security-checklist
- https://github.com/weeka10/-hktalent-TOP
- https://github.com/wemindful/WsylibBookRS
- https://github.com/whoadmin/pocs
- https://github.com/winterwolf32/PayloadsAllTheThings
- https://github.com/woods-sega/woodswiki
- https://github.com/xbl3/awesome-cve-poc_qazbnm456
- https://github.com/xfox64x/CVE-2018-11776
- https://github.com/xiaoZ-hc/redtool
- https://github.com/yann-berthaux/struts57
- https://github.com/ynsmroztas/Apache-Struts-V4
- https://github.com/yut0u/RedTeam-BlackBox