1c3z
commented
6 years ago namespace value isn't set for a result defined in underlying configurations。
namespace is empty without Struts Convention Plugin。
so, it doesn't work
Open yasserzamani opened 6 years ago
1c3z
commented
6 years ago namespace value isn't set for a result defined in underlying configurations。
namespace is empty without Struts Convention Plugin。
so, it doesn't work
yasserzamani
commented
6 years ago Here says:
both of the following conditions should hold: 1) The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
It seems PoCs works only when alwaysSelectFullNamespace is set to true which is false by default except when user or Struts Convention Plugin set it to true . @jas502n , could you check please?
Struts showcase does have almost all plugins included. Does your exploit work on a simple hello-world Struts 2 webapp or a webapp like showcase but without Struts Convention Plugin?