Apache Struts 2 DefaultActionMapper method Remote Code Execution Exploit

The DefaultActionMapper class in Apache Struts 2 supports a Dynamic Method Invocation feature via the "method:" prefix. The information contained in this prefix is not properly sanitized before being evaluated as OGNL expressions on the server side, which allows remote attackers to execute arbitrary Java code on the server. This module exploits the vulnerability in any web application built on top of vulnerable versions of the Apache Struts 2 framework with the "struts.enable.DynamicMethodInvocation" configuration parameter in struts.xml set to True.
Exploit type: 
Platform: 
Vulnerabilty ID: 
CVE-2016-3081
Product Version: 
2016_R1
Released Date: 
Tuesday, May 24, 2016 - 00:00